You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2021/08/23 16:18:00 UTC

[jira] [Comment Edited] (GUACAMOLE-1261) Users/groups with identifiers containing slashes cannot be modified

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17403276#comment-17403276 ] 

Mike Jumper edited comment on GUACAMOLE-1261 at 8/23/21, 4:17 PM:
------------------------------------------------------------------

Retesting the latest changes on git, things no longer fail for user and group management involving slashes so long as Tomcat is started with the following options:

* {{-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true}}
* {{-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true}}

However, backslashes still do not 100% work as the browser (or AngularJS?) automatically replaces backslashes with forward slashes, changing the identifier of the desired object to the identifier of something else.

For example, if both {color:#DE350B}{{test/user}}{color} and {color:#4C9AFF}{{test\user}}{color} exist, the URL to edit {color:#4C9AFF}{{test\user}}{color} will automatically change to the URL for {color:#DE350B}{{test/user}}{color}, and the admin will instead be presented with a screen for editing {color:#DE350B}{{test/user}}{color}. If {color:#DE350B}{{test/user}}{color} does not exist, the admin will instead be presented with a screen for _creating_ {color:#DE350B}{{test/user}}{color}.

Manually changing the erroneous forward slash in the username to a URL-encoded backslash ({{%5C}}) appears to solve the issue, suggesting that perhaps the links for individual users/groups within the admin interface are incorrectly generated.


was (Author: mike.jumper):
Retesting the latest changes on git, things no longer fail for user and group management involving slashes so long as Tomcat is started with the following options:

* {{-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true}}
* {{-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true}}

However, backslashes still do not 100% work as the browser (or AngularJS?) automatically transforms replaces backslashes with forward slashes, changing the identifier of the desired object to the identifier of something else.

For example, if both {color:#DE350B}{{test/user}}{color} and {color:#4C9AFF}{{test\user}}{color} exist, the URL to edit {color:#4C9AFF}{{test\user}}{color} will automatically change to the URL for {color:#DE350B}{{test/user}}{color}, and the admin will instead be presented with a screen for editing {color:#DE350B}{{test/user}}{color}. If {color:#DE350B}{{test/user}}{color} does not exist, the admin will instead be presented with a screen for _creating_ {color:#DE350B}{{test/user}}{color}.

Manually changing the erroneous forward slash in the username to a URL-encoded backslash ({{%5C}}) appears to solve the issue, suggesting that perhaps the links for individual users/groups within the admin interface are incorrectly generated.

> Users/groups with identifiers containing slashes cannot be modified
> -------------------------------------------------------------------
>
>                 Key: GUACAMOLE-1261
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1261
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole
>            Reporter: David McDonald
>            Assignee: Nick Couchman
>            Priority: Minor
>             Fix For: 1.4.0
>
>
> When a forward slash in included in the name of a User Group, the hyperlink that is supposed direct the user to the settings page for that User Group is broken, redirecting the user to the main page. This is because the slash is not properly escaped in the URL, leading to it's interpretation as part of the path.
> Once this happens, the only way to delete/update that User Group is through deleting/updating its entry in the MySQL/Postgresql database directly. 
> This is likely present in other areas of the website, such as users, connections, etc. The most probable solution involves improving input validation through, for example, disallowing the use of forward slashes in names.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)