safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-524: Require usages of SimpleConnection to explicitly request automatic interpretation of parameter tokens. Do not enable by default.

Browse Source 
Previous implementations of SimpleConnection did not interpret parameter
tokens automatically. Adding that behavior now could have security
implications for downstream users of the class if parameter values may
unexpectedly contain substrings which would be interpreted as tokens,
particularly if parameter values are built from untrusted input.
This commit is contained in:
Michael Jumper
2019-01-21 19:55:33 -08:00
parent 7e67dde751
commit 6be722ed9d
4 changed files with 107 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
extensions/guacamole-auth-quickconnect/src/main/java/org/apache/guacamole/auth/quickconnect/QuickConnectDirectory.java
View File

@@ -107,7 +107,7 @@ public class QuickConnectDirectory extends SimpleDirectory<Connection> {
String name = QCParser.getName(config);
// Create a new connection and set the parent identifier.
Connection connection = new SimpleConnection(name, newConnectionId, config);
Connection connection = new SimpleConnection(name, newConnectionId, config, true);
connection.setParentIdentifier(QuickConnectUserContext.ROOT_IDENTIFIER);
// Place the object in this directory.