[
https://issues.apache.org/jira/browse/GUACAMOLE-1025?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Couchman updated GUACAMOLE-1025:
-------------------------------------
Fix Version/s: 1.4.0
> Allow QuickConnect Extension to Block Certain Parameters
> --------------------------------------------------------
>
> Key: GUACAMOLE-1025
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1025
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-quickconnect
> Reporter: Nick Couchman
> Assignee: Nick Couchman
> Priority: Minor
> Fix For: 1.4.0
>
>
> Based on knowledge (as documented in the manual) about some of the security
> implications of the QuickConnect module, and a recent conversation on the
> mailing list, it seems like it would be good to add an option or two to the
> QuickConnect authentication module that allows the server administrator to
> control which connection parameters can be used when creating connections and
> which ones will be vetoed or ignored. I'm thinking that two options could be
> implemented:
> quickconnect-allowed-parameters
> quickconnect-denied-parameters
> The logic would be as follows:
> * If quickconnect-allowed-parameters is set, ONLY the parameters specified in
> that option will be allowed, and ALL others will be discarded.
> * If quickconnect-denied-parameters is set, the parameters specified in that
> option will be discarded, and ALL others will be allowed.
> * If both are set (which shouldn't happen under normal circumstances), the
> parameters set in quickconnect-allowed-parameters will be allowed, unless
> they also occur in quickconnect-denied-parameters, in which case they will be
> discarded along with anything else not set in quickconnect-allowed-parameters.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
