Bug 1290902

Summary: openfortivpn does not escape user/password passed as URL parameters
Product: [Fedora] Fedora Reporter: Max Kovgan <kovganm>
Component: openfortivpnAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 23CC: adrienverge, lkundrak
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
URL: https://github.com/adrienverge/openfortivpn/issues/35
Whiteboard:
Fixed In Version: openfortivpn-1.1.3-1.fc23 openfortivpn-1.1.3-1.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-05 21:55:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Max Kovgan 2015-12-11 20:36:13 UTC 
Description of problem:

in short: openfortivpn is not escaping url sensitive chars in user/pass,
and sends them over to the server.
If username/password contains such chars (&, =, @, /, etc.) the server misinterprets them.

Version-Release number of selected component (if applicable):
openfortivpn-1.1.2-1.fc23.x86_64

How reproducible:
100%

Steps to Reproduce:
1. access admin console of fortigate vpn server
2. create new user with password to contain "&" and or "=", etc.
3. try connecting with openfortivpn
4. behold an epic fail

Actual results:
auth. error

Expected results:
vpn tunnel up.


Additional info:

This is a duplicate of a github bug I'm linking here.
I'm working on a patch introducing libcurl.
The 1st patch will be just to escape user/pass, and add new dependency:
runtime - libcurl
build-time - libcurl-devel.
Comment 1 Max Kovgan 2015-12-11 20:40:08 UTC 
*** Bug 1290903 has been marked as a duplicate of this bug. ***
Comment 2 Max Kovgan 2015-12-12 08:58:28 UTC 
Added the link to the bug.
Comment 3 Fedora Update System 2015-12-26 14:52:05 UTC 
openfortivpn-1.1.3-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-80add2b6ba
Comment 4 Fedora Update System 2015-12-29 00:55:34 UTC 
openfortivpn-1.1.3-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-80add2b6ba
Comment 5 Fedora Update System 2015-12-30 20:54:50 UTC 
openfortivpn-1.1.3-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f2078a6fed
Comment 6 Fedora Update System 2016-01-05 21:55:50 UTC 
openfortivpn-1.1.3-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2016-01-08 03:22:22 UTC 
openfortivpn-1.1.3-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.