[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [Spice-devel] Always get Invalid password while trying
From: |
Eric Blake |
Subject: |
Re: [Qemu-devel] [Spice-devel] Always get Invalid password while trying to connect to spice server |
Date: |
Thu, 3 Jan 2019 16:25:00 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1 |
On 12/27/18 8:51 AM, Niccolò Belli wrote:
> On mercoledì 26 dicembre 2018 13:38:28 CET, Frediano Ziglio wrote:
>> Yes, this looks like a format string error in the upper (not into
>> spice) layer.
>>
>> This potentially is a security problem.
>
> Considering the spice server is exposed to the internet this is
> definitely worth investigating.
>
>> The specific '%' character could be the issue, can you try others
>> ('!', '@' and
>> so on) ?
>
> I tried several other special characters and they all seems to work,
> expect for "Password&&" which gets converted to "Password&&" (if
> I type "Password&&" it works).
Could it be related to this patch where our JSON code mishandles %?
https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg00108.html
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature
- Re: [Qemu-devel] [Spice-devel] Always get Invalid password while trying to connect to spice server,
Eric Blake <=