-
Notifications
You must be signed in to change notification settings - Fork 318
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
the credentials are passed on the URL, which is very unreliable #35
Comments
opened this: |
mvk
added a commit
to mvk/openfortivpn
that referenced
this issue
Dec 11, 2015
- don't touch cookie size bug adrienverge#32 - use curl for url escaping - url escaping is happening right before calling to tunnel setup routine. - maintainer: new dependency here: libcurl (runtime), libcurl-devel (build) Signed-off-by: Max Kovgan <kovganm@gmail.com> Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1290902
mvk
added a commit
to mvk/openfortivpn
that referenced
this issue
Dec 11, 2015
- don't touch cookie size bug adrienverge#32 - use curl for url escaping - url escaping is happening right before calling to tunnel setup routine. - maintainer: new dependency here: libcurl (runtime), libcurl-devel (build) Signed-off-by: Max Kovgan <kovganm@gmail.com> Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1290902
mvk
added a commit
to mvk/openfortivpn
that referenced
this issue
Dec 11, 2015
- don't touch cookie size bug adrienverge#32 - use curl for url escaping - url escaping is happening right before calling to tunnel setup routine. - maintainer: new dependency here: libcurl (runtime), libcurl-devel (build) Signed-off-by: Max Kovgan <kovganm@gmail.com> Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1290902
mvk
added a commit
to mvk/openfortivpn
that referenced
this issue
Dec 12, 2015
- don't touch cookie size bug adrienverge#32 - use curl for url escaping - url escaping is happening right before calling to tunnel setup routine. - maintainer: new dependency here: libcurl (runtime), libcurl-devel (build) Signed-off-by: Max Kovgan <kovganm@gmail.com> Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1290902
Thanks for detecting this! |
mvk
added a commit
to mvk/openfortivpn
that referenced
this issue
Dec 14, 2015
- use libcurl to escape string as url - warning: password/usernam buffers are prone to overrun - new dependency: libcurl Signed-off-by: Max Kovgan <kovganm@gmail.com>
mvk
added a commit
to mvk/openfortivpn
that referenced
this issue
Dec 14, 2015
- use libcurl to escape string as url - warning: password/usernam buffers are prone to overrun - new dependency: libcurl Signed-off-by: Max Kovgan <kovganm@gmail.com>
adrienverge
added a commit
that referenced
this issue
Dec 24, 2015
Username, password and realm are sent to the gateway using the HTTP query string. Hence, they need to be properly escaped using URL-encoding. Fixes: #35
adrienverge
added a commit
that referenced
this issue
Dec 24, 2015
Username, password and realm are sent to the gateway using the HTTP query string. Hence, they need to be properly escaped using URL-encoding. Fixes: #35
adrienverge
added a commit
that referenced
this issue
Dec 24, 2015
Username, password and realm are sent to the gateway using the HTTP query string. Hence, they need to be properly escaped using URL-encoding. Fixes: #35
adrienverge
added a commit
that referenced
this issue
Dec 24, 2015
Username, password and realm are sent to the gateway using the HTTP query string. Hence, they need to be properly escaped using URL-encoding. Fixes: #35
adrienverge
added a commit
that referenced
this issue
Dec 24, 2015
Username, password and realm are sent to the gateway using the HTTP query string. Hence, they need to be properly escaped using URL-encoding. Fixes: #35
adrienverge
added a commit
that referenced
this issue
Dec 26, 2015
Username, password and realm are sent to the gateway using the HTTP query string. Hence, they need to be properly escaped using URL-encoding. Fixes: #35
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
hi there.
This is yet another case stressing the importance of library usage.
Click: http.c
username and password are sent "as is", not escaped.
Ergo, if they are URL "unsafe", they will be processed by the server differently than expected.
Reproducing:
call&my=home
Why? The server interprets & as splitter, end of password param and then "my=home" is also treated as param. so for the server, the password is being processed as "call".
I'm sorry I'm swamped with customers and work, but I looked at
curl/curl.h
, it's a bit ugly, but it exactly addresses these cases - fully. e.g. escaping is done by callingcurl_easy_escape()
.The text was updated successfully, but these errors were encountered: