You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@guacamole.apache.org by "Ares (Jira)" <ji...@apache.org> on 2023/04/18 23:35:00 UTC

[jira] [Commented] (GUACAMOLE-1775) Auth token as a parameter in "session/tunnels//protocol" request

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1775?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17713795#comment-17713795 ] 

Ares commented on GUACAMOLE-1775:
---------------------------------

A fix of this has been working on, and I am trying to create a PR with all the required components by following the guidance provided by the contributors. Will update the progress on this Jira from now on.

Reference: [GUACAMOLE-956: Use header instead of http parameter for session/tunnels/<tunnel ID>/protocol by aresliharris · Pull Request #832 · apache/guacamole-client (github.com)|https://github.com/apache/guacamole-client/pull/832]

> Auth token as a parameter in "session/tunnels/<tunnel ID>/protocol" request
> ---------------------------------------------------------------------------
>
>                 Key: GUACAMOLE-1775
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1775
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole, guacamole-client
>    Affects Versions: 1.4.0, 1.5.0
>            Reporter: Ares
>            Priority: Major
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> The following HTTP requests example generated by Guacamole client contains authentication service tokens via URL query parameters, which could be leaked from server log files, “Referer header” of HTTP request, etc. 
> Example: GET /api/session/tunnels/<tunnel ID>/protocol?token=<token>
>  
> This has been found in 1.4.0 and 1.5.0. 
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)