[
https://issues.apache.org/jira/browse/GUACAMOLE-1818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike Jumper updated GUACAMOLE-1818:
-----------------------------------
Summary: Migrate away from including auth token within WebSocket tunnel URL
(was: Auth token as a parameter in "websocket-tunnel" request)
> Migrate away from including auth token within WebSocket tunnel URL
> ------------------------------------------------------------------
>
> Key: GUACAMOLE-1818
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1818
> Project: Guacamole
> Issue Type: Wish
> Components: guacamole
> Reporter: Benjamin
> Priority: Minor
>
> The following HTTP requests example generated by Guacamole client contains
> authentication service tokens via URL query parameters, which could be leaked
> from server log files, “Referer header” of HTTP request, etc.
> Example:
> GET
> /workstation/websocket-tunnel?token=<token>&GUAC_DATA_SOURCE=postgresql&GUAC_ID=1&GUAC_TYPE=c&GUAC_WIDTH=1920&GUAC_HEIGHT=1081&GUAC_DPI=96&GUAC_TIMEZONE=Europe%2FBerlin&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp
> I was able to verify this for both 1.5.2 and 1.5.1, older releases are
> probably also affected by this.
> This is similar to: GUACAMOLE-1775
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
