Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-1818

Migrate away from including auth token within WebSocket tunnel URL

    XMLWordPrintableJSON

Details

    • Wish
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • None
    • None
    • guacamole
    • None

    Description

      The following HTTP requests example generated by Guacamole client contains authentication service tokens via URL query parameters, which could be leaked from server log files, “Referer header” of HTTP request, etc. 

      Example:

      GET /workstation/websocket-tunnel?token=<token>&GUAC_DATA_SOURCE=postgresql&GUAC_ID=1&GUAC_TYPE=c&GUAC_WIDTH=1920&GUAC_HEIGHT=1081&GUAC_DPI=96&GUAC_TIMEZONE=Europe%2FBerlin&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp

      I was able to verify this for both 1.5.2 and 1.5.1, older releases are probably also affected by this.

      This is similar to: GUACAMOLE-1775

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. GUACAMOLE-956 Migrate away from including auth token within REST API URLs

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              Unassigned Unassigned
              langeschro Benjamin
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: