safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-770: Avoid letting attribute be manually set and reset confirmation along with secret.

Browse Source
This commit is contained in:
Virtually Nick
2020-04-03 23:17:43 -04:00
parent 4f4a060d4a
commit c7cb40d8f1
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/TOTPUser.java
View File

@@ -108,12 +108,17 @@ public class TOTPUser extends DelegatingUser {
// Create independent, mutable copy of attributes // Create independent, mutable copy of attributes
attributes = new HashMap<>(attributes); attributes = new HashMap<>(attributes);
// Do not expose any TOTP secret attribute outside this extension
attributes.remove(TOTP_KEY_SECRET_ATTRIBUTE_NAME);
// Pull off the boolean reset field // Pull off the boolean reset field
String reset = attributes.remove(TOTP_KEY_SECRET_RESET_FIELD); String reset = attributes.remove(TOTP_KEY_SECRET_RESET_FIELD);
// If reset has been set to true, clear the secret. // If reset has been set to true, clear the secret.
if (reset != null && reset.equals("true")) if (reset != null && reset.equals("true")) {
attributes.put(TOTP_KEY_SECRET_ATTRIBUTE_NAME, null); attributes.put(TOTP_KEY_SECRET_ATTRIBUTE_NAME, null);
attributes.put(TOTP_KEY_CONFIRMED_ATTRIBUTE_NAME, null);
}
super.setAttributes(attributes); super.setAttributes(attributes);