You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2023/06/21 23:54:00 UTC

[jira] [Updated] (GUACAMOLE-1818) Migrate away from including auth token within WebSocket tunnel URL

     [ https://issues.apache.org/jira/browse/GUACAMOLE-1818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mike Jumper updated GUACAMOLE-1818:
-----------------------------------
    Summary: Migrate away from including auth token within WebSocket tunnel URL  (was: Auth token as a parameter in "websocket-tunnel" request)

> Migrate away from including auth token within WebSocket tunnel URL
> ------------------------------------------------------------------
>
>                 Key: GUACAMOLE-1818
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1818
>             Project: Guacamole
>          Issue Type: Wish
>          Components: guacamole
>            Reporter: Benjamin
>            Priority: Minor
>
> The following HTTP requests example generated by Guacamole client contains authentication service tokens via URL query parameters, which could be leaked from server log files, “Referer header” of HTTP request, etc. 
> Example:
> GET /workstation/websocket-tunnel?token=<token>&GUAC_DATA_SOURCE=postgresql&GUAC_ID=1&GUAC_TYPE=c&GUAC_WIDTH=1920&GUAC_HEIGHT=1081&GUAC_DPI=96&GUAC_TIMEZONE=Europe%2FBerlin&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp
> I was able to verify this for both 1.5.2 and 1.5.1, older releases are probably also affected by this.
> This is similar to: GUACAMOLE-1775



--
This message was sent by Atlassian Jira
(v8.20.10#820010)