[
https://issues.apache.org/jira/browse/GUACAMOLE-1775?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17713795#comment-17713795
]
Ares commented on GUACAMOLE-1775:
---------------------------------
A fix of this has been working on, and I am trying to create a PR with all the
required components by following the guidance provided by the contributors.
Will update the progress on this Jira from now on.
Reference: [GUACAMOLE-956: Use header instead of http parameter for
session/tunnels/<tunnel ID>/protocol by aresliharris · Pull Request #832 ·
apache/guacamole-client
(github.com)|https://github.com/apache/guacamole-client/pull/832]
> Auth token as a parameter in "session/tunnels/<tunnel ID>/protocol" request
> ---------------------------------------------------------------------------
>
> Key: GUACAMOLE-1775
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1775
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole, guacamole-client
> Affects Versions: 1.4.0, 1.5.0
> Reporter: Ares
> Priority: Major
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> The following HTTP requests example generated by Guacamole client contains
> authentication service tokens via URL query parameters, which could be leaked
> from server log files, “Referer header” of HTTP request, etc.
> Example: GET /api/session/tunnels/<tunnel ID>/protocol?token=<token>
>
> This has been found in 1.4.0 and 1.5.0.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
