Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

the credentials are passed on the URL, which is very unreliable #35

Closed
mvk opened this issue Dec 11, 2015 · 2 comments
Closed

the credentials are passed on the URL, which is very unreliable #35

mvk opened this issue Dec 11, 2015 · 2 comments

Comments

@mvk
Copy link

mvk commented Dec 11, 2015

hi there.
This is yet another case stressing the importance of library usage.
Click: http.c
username and password are sent "as is", not escaped.
Ergo, if they are URL "unsafe", they will be processed by the server differently than expected.

Reproducing:

  1. add a user to a working server: username="iamneverhome" with password: call&my=home
  2. try connecting using official client - works
  3. try connecting using openfortivpn with correct password. you get auth failure.

Why? The server interprets & as splitter, end of password param and then "my=home" is also treated as param. so for the server, the password is being processed as "call".

I'm sorry I'm swamped with customers and work, but I looked at curl/curl.h, it's a bit ugly, but it exactly addresses these cases - fully. e.g. escaping is done by calling curl_easy_escape().
@mvk
Copy link
Author

mvk commented Dec 11, 2015

opened this:
https://bugzilla.redhat.com/show_bug.cgi?id=1290902

mvk added a commit to mvk/openfortivpn that referenced this issue Dec 11, 2015
@mvk
quick fix adrienverge#35
4d25eec 
- don't touch cookie size bug adrienverge#32
- use curl for url escaping
- url escaping is happening right before calling to tunnel setup routine.
- maintainer: new dependency here: libcurl (runtime), libcurl-devel (build)

Signed-off-by: Max Kovgan <kovganm@gmail.com>
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1290902
mvk added a commit to mvk/openfortivpn that referenced this issue Dec 11, 2015
@mvk
quick fix adrienverge#35
9265d7b 
- don't touch cookie size bug adrienverge#32
- use curl for url escaping
- url escaping is happening right before calling to tunnel setup routine.
- maintainer: new dependency here: libcurl (runtime), libcurl-devel (build)

Signed-off-by: Max Kovgan <kovganm@gmail.com>
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1290902
mvk added a commit to mvk/openfortivpn that referenced this issue Dec 11, 2015
@mvk
quick fix adrienverge#35
3e1c241 
- don't touch cookie size bug adrienverge#32
- use curl for url escaping
- url escaping is happening right before calling to tunnel setup routine.
- maintainer: new dependency here: libcurl (runtime), libcurl-devel (build)

Signed-off-by: Max Kovgan <kovganm@gmail.com>
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1290902
mvk added a commit to mvk/openfortivpn that referenced this issue Dec 12, 2015
@mvk
quick fix adrienverge#35
01ebc5a 
- don't touch cookie size bug adrienverge#32
- use curl for url escaping
- url escaping is happening right before calling to tunnel setup routine.
- maintainer: new dependency here: libcurl (runtime), libcurl-devel (build)

Signed-off-by: Max Kovgan <kovganm@gmail.com>
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1290902
@adrienverge
Copy link
Owner

Thanks for detecting this!

mvk added a commit to mvk/openfortivpn that referenced this issue Dec 14, 2015
@mvk
fixes adrienverge#35
8a4b495 
- use libcurl to escape string as url
- warning: password/usernam buffers are prone to overrun
- new dependency: libcurl

Signed-off-by: Max Kovgan <kovganm@gmail.com>
mvk added a commit to mvk/openfortivpn that referenced this issue Dec 14, 2015
@mvk
fixes adrienverge#35
1515876 
- use libcurl to escape string as url
- warning: password/usernam buffers are prone to overrun
- new dependency: libcurl

Signed-off-by: Max Kovgan <kovganm@gmail.com>
adrienverge added a commit that referenced this issue Dec 24, 2015
@adrienverge
http: URL-encode values sent in requests
7c90280 
Username, password and realm are sent to the gateway using the HTTP
query string. Hence, they need to be properly escaped using
URL-encoding.

Fixes: #35
adrienverge added a commit that referenced this issue Dec 24, 2015
@adrienverge
http: URL-encode values sent in requests
2b0f6f8 
Username, password and realm are sent to the gateway using the HTTP
query string. Hence, they need to be properly escaped using
URL-encoding.

Fixes: #35
adrienverge added a commit that referenced this issue Dec 24, 2015
@adrienverge
http: URL-encode values sent in requests
1b06506 
Username, password and realm are sent to the gateway using the HTTP
query string. Hence, they need to be properly escaped using
URL-encoding.

Fixes: #35
@adrienverge adrienverge mentioned this issue Dec 24, 2015
Merged
adrienverge added a commit that referenced this issue Dec 24, 2015
@adrienverge
http: URL-encode values sent in requests
f60268d 
Username, password and realm are sent to the gateway using the HTTP
query string. Hence, they need to be properly escaped using
URL-encoding.

Fixes: #35
adrienverge added a commit that referenced this issue Dec 24, 2015
@adrienverge
http: URL-encode values sent in requests
7b2429a 
Username, password and realm are sent to the gateway using the HTTP
query string. Hence, they need to be properly escaped using
URL-encoding.

Fixes: #35
adrienverge added a commit that referenced this issue Dec 26, 2015
@adrienverge
http: URL-encode values sent in requests
add9566 
Username, password and realm are sent to the gateway using the HTTP
query string. Hence, they need to be properly escaped using
URL-encoding.

Fixes: #35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mvk @adrienverge