1290902 – openfortivpn does not escape user/password passed as URL parameters

Bug 1290902 - openfortivpn does not escape user/password passed as URL parameters

Summary: openfortivpn does not escape user/password passed as URL parameters

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openfortivpn
Sub Component:
Version:	23
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lubomir Rintel
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://github.com/adrienverge/openfo...
Whiteboard:
Duplicates (1):	1290903 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-12-11 20:36 UTC by Max Kovgan
Modified:	2016-01-08 03:22 UTC (History)
CC List:	2 users (show)
Fixed In Version:	openfortivpn-1.1.3-1.fc23 openfortivpn-1.1.3-1.fc22
Clone Of:
Environment:
Last Closed:	2016-01-05 21:55:59 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Max Kovgan 2015-12-11 20:36:13 UTC

Description of problem:

in short: openfortivpn is not escaping url sensitive chars in user/pass,
and sends them over to the server.
If username/password contains such chars (&, =, @, /, etc.) the server misinterprets them.

Version-Release number of selected component (if applicable):
openfortivpn-1.1.2-1.fc23.x86_64

How reproducible:
100%

Steps to Reproduce:
1. access admin console of fortigate vpn server
2. create new user with password to contain "&" and or "=", etc.
3. try connecting with openfortivpn
4. behold an epic fail

Actual results:
auth. error

Expected results:
vpn tunnel up.


Additional info:

This is a duplicate of a github bug I'm linking here.
I'm working on a patch introducing libcurl.
The 1st patch will be just to escape user/pass, and add new dependency:
runtime - libcurl
build-time - libcurl-devel.

Comment 1 Max Kovgan 2015-12-11 20:40:08 UTC

*** Bug 1290903 has been marked as a duplicate of this bug. ***

Comment 2 Max Kovgan 2015-12-12 08:58:28 UTC

Added the link to the bug.

Comment 3 Fedora Update System 2015-12-26 14:52:05 UTC

openfortivpn-1.1.3-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-80add2b6ba

Comment 4 Fedora Update System 2015-12-29 00:55:34 UTC

openfortivpn-1.1.3-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-80add2b6ba

Comment 5 Fedora Update System 2015-12-30 20:54:50 UTC

openfortivpn-1.1.3-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f2078a6fed

Comment 6 Fedora Update System 2016-01-05 21:55:50 UTC

openfortivpn-1.1.3-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2016-01-08 03:22:22 UTC

openfortivpn-1.1.3-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.