[jira] [Updated] (GUACAMOLE-1818) Auth token as a parameter in "websocket-tunnel" request

[Benjamin (Jira)]

     [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Benjamin updated GUACAMOLE-1818:
--------------------------------
    Description: 
The following HTTP requests example generated by Guacamole client contains 
authentication service tokens via URL query parameters, which could be leaked 
from server log files, “Referer header” of HTTP request, etc. 

Example:

GET 
/workstation/websocket-tunnel?token=<token>&GUAC_DATA_SOURCE=postgresql&GUAC_ID=1&GUAC_TYPE=c&GUAC_WIDTH=1920&GUAC_HEIGHT=1081&GUAC_DPI=96&GUAC_TIMEZONE=Europe%2FBerlin&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp

I was able to verify this for both 1.5.2 and 1.5.1, older releases are probably 
also affected by this.

This is similar to: GUACAMOLE-1775

  was:
The following HTTP requests example generated by Guacamole client contains 
authentication service tokens via URL query parameters, which could be leaked 
from server log files, “Referer header” of HTTP request, etc. 

Example:

GET 
/workstation/websocket-tunnel?token=<token>GUAC_DATA_SOURCE=postgresql&GUAC_ID=1&GUAC_TYPE=c&GUAC_WIDTH=1920&GUAC_HEIGHT=1081&GUAC_DPI=96&GUAC_TIMEZONE=Europe%2FBerlin&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp

I was able to verify this for both 1.5.2 and 1.5.1, older releases are probably 
also affected by this.

This is similar to: GUACAMOLE-1775


> Auth token as a parameter in "websocket-tunnel" request
> -------------------------------------------------------
>
>                 Key: GUACAMOLE-1818
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1818
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole, guacamole-client
>    Affects Versions: 1.5.2, 1.5.1
>            Reporter: Benjamin
>            Priority: Major
>
> The following HTTP requests example generated by Guacamole client contains 
> authentication service tokens via URL query parameters, which could be leaked 
> from server log files, “Referer header” of HTTP request, etc. 
> Example:
> GET 
> /workstation/websocket-tunnel?token=<token>&GUAC_DATA_SOURCE=postgresql&GUAC_ID=1&GUAC_TYPE=c&GUAC_WIDTH=1920&GUAC_HEIGHT=1081&GUAC_DPI=96&GUAC_TIMEZONE=Europe%2FBerlin&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp
> I was able to verify this for both 1.5.2 and 1.5.1, older releases are 
> probably also affected by this.
> This is similar to: GUACAMOLE-1775



--
This message was sent by Atlassian Jira
(v8.20.10#820010)