clone #333 -1 reassign -1 python-x2go retitle -1 Users can inject arbitrary data into Pyhoca-GUI via .bashrc thanks
Hi All, On Di 29 Okt 2013 13:36:14 CET, Mike Gabriel wrote:
Hi All,Dan Halbert made me aware of it being easily possible to inject arbitrary data into X2Go Client via the server-side .bashrc file. This surely is a security problem in X2Go.Thus, I found that we really need to do some sanity checks on incoming output from X2Go Servers to avoid such injections.The idea is to invoke the server-side command with a UUID hash before and after the actuall command invocation:1. execute server-side command from X2Go Client: ssh <user>@<server> sh -c "echo <uuidhash> && <x2gocmd> && echo <uuidhash> 2. read data from X2Go Server: X2GODATABEGIN:<uuidhash> <x2godata_line1> <x2godata_line2> .... <x2godata_lineN> X2GODATAEND:<uuidhash> 3. cut out the X2Go data returned by the server (in C++): QString begin_marker = "X2GODATABEGIN:"+uuid+"\n"; QString end_marker = "X2GODATAEND:"+uuid+"\n"; int output_begin=stdOutString.indexOf(begin_marker) + \\ begin_marker.length(); int output_end=stdOutString.indexOf(end_marker); output = stdOutString.mid(output_begin, \\ output_end-output_begin);I have a patch locally for this and will commit it in a minute. We can discuss the patch and move on from there when it's there.Unfortunately, this patch does not fix #327 as it is impossible to use scp with echoing .bashrc files. With this patch applied, the session starts, but setting up the SSHfs shares fails with locking up X2Go Client.For people who depend on echoing .bashrc files, please read my last post on #327.Mike
This actually also applies to Python X2Go. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: [email protected], http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
binY7iFSTNWf7.bin
Description: Öffentlicher PGP-Schlüssel
pgperEwCB9Ee5.pgp
Description: Digitale PGP-Signatur
_______________________________________________ X2Go-Dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/x2go-dev
