[jira] [Commented] (GUACAMOLE-1965) Clipboard access restrictions can be bypassed from the user control panel

Sat, 06 Jul 2024 11:39:10 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17863519#comment-17863519
 ] 

Nick Couchman commented on GUACAMOLE-1965:
------------------------------------------

I'm a bit on the fence about whether this actually is a bug or not. On the one 
hand, practically speaking, when you're trying to prevent mass transfer of data 
from the client system into the remote system, I see how this is not desirable. 
On the other hand, I'm not sure how practical it is to fix this:
* Even if you were able to get clipboard paste to not work when the input mode 
is set to Text, there are myriad other ways to get around this in that mode - 
you could easily write a program in just about any language that just inputs 
keystrokes and takes a paragraph of text as input, and effectively circumvent 
this. In fact, such a work-around could be employed without even switching the 
input method.
* The only other way to half-way mitigate this is to disable the Text input 
method altogether, but I'm fairly sure this wouldn't actually completely 
prevent people from getting around it, and I'm not sure how practical it is to 
tie this in to the clipboard options, which are actually connection parameters 
for the individual protocols and not client options.

> Clipboard access restrictions can be bypassed from the user control panel
> -------------------------------------------------------------------------
>
>                 Key: GUACAMOLE-1965
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1965
>             Project: Guacamole
>          Issue Type: Bug
>            Reporter: Adam Reeve
>            Priority: Major
>         Attachments: clipboard-restrictions.png, user-control-panel.png
>
>
> We restrict clipboard access by disabling copying from the remote desktop and 
> pasting from the client:
> !clipboard-restrictions.png|width=666,height=177!
> However, we have found that this can be trivially bypassed by accessing the 
> user control panel:
> !user-control-panel.png|width=1135,height=1135!
> If you change the input method to 'Text', you can freely copy and paste.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to