This patch against CVS fixes an issue where the user's supplied login
credentials could override what was pre-set for a module when using
automatic login (rdp_autologin). This would introduce two security
problems:
- It would be possible for a user to use alternative login credentials
for a module, allowing them to login with another account they have
credentials for when they are not supposed to be allowed to, where that
module is a session manager.
- Thin clients would require the login details be publicly accessible
for them to be able to download the login information, which would mean
anyone on the network could download the configuration file and see the
login credentials that the clients used.
With this patch, if a module has the username and password pre-set (not
set to "ask" in xrdp.ini), it will use those details and ignore whatever
credentials the client supplies.
Again, please CC me in on any replies, as I'm not on-list.
Cheers,
--Michael
--- xrdp/xrdp/xrdp_wm.c.orig 2009-05-28 18:41:18.000000000 +0930
+++ xrdp/xrdp/xrdp_wm.c 2009-05-28 18:44:55.000000000 +0930
@@ -412,14 +412,30 @@
if (g_strncmp("password", q, 255) == 0)
{
list_add_item(self->mm->login_names, (long)g_strdup("password"));
- list_add_item(self->mm->login_values,
+ if (g_strncmp("ask", r, 255) != 0) {
+ // the password has been manually set in the config, use that
+ // instead of what the client says.
+ list_add_item(self->mm->login_values, (long)g_strdup(r));
+ } else {
+ // the password has been asked for by the module, use what the
+ // client says.
+ list_add_item(self->mm->login_values,
(long)g_strdup(self->session->client_info->password));
+ }
}
else if (g_strncmp("username", q, 255) == 0)
{
list_add_item(self->mm->login_names, (long)g_strdup("username"));
- list_add_item(self->mm->login_values,
+ if (g_strncmp("ask", r, 255) != 0) {
+ // the username has been manually set in the config, user that
+ // instead of what the client says.
+ list_add_item(self->mm->login_values, (long)g_strdup(r));
+ } else {
+ // the username has been asked for by the module, use what the
+ // client says.
+ list_add_item(self->mm->login_values,
(long)g_strdup(self->session->client_info->username));
+ }
}
else
{
------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, &
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
_______________________________________________
xrdp-devel mailing list
xrdp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
