-
-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password variable --auth=env:name is preserved in Xvfb-for-Xpra-3 process #4252
Comments
It's not easy to decide which variables should be sanitized and which ones should not be. |
I may be missing something but wouldn't it be safe to assume that the variable whose name referenced as |
I'm not going to do this sorts of parsing gymnastics, sorry. |
I was just responding to
simply pointing to the fact that the variable name that holds authentication password is readily available, as it is explicitly specified. I realize that because I am not familiar with the code, what seems to be obvious and simple on the surface, may not really be that straightforward. |
Describe the bug
xpra
server clears all its environment (probably for security reasons) but not before it launchesXvfb-for-Xpra-3
process. The variable containing authentication password is clearly visible in the process environment.To Reproduce
Steps to reproduce the behavior:
System Information (please complete the following information):
The text was updated successfully, but these errors were encountered: