[Spice-devel] [Qemu-devel] Always get Invalid password while trying to connect to spice server
Eric Blake
eblake at redhat.com
Thu Jan 3 22:25:00 UTC 2019
On 12/27/18 8:51 AM, Niccolò Belli wrote:
> On mercoledì 26 dicembre 2018 13:38:28 CET, Frediano Ziglio wrote:
>> Yes, this looks like a format string error in the upper (not into
>> spice) layer.
>>
>> This potentially is a security problem.
>
> Considering the spice server is exposed to the internet this is
> definitely worth investigating.
>
>> The specific '%' character could be the issue, can you try others
>> ('!', '@' and
>> so on) ?
>
> I tried several other special characters and they all seems to work,
> expect for "Password&&" which gets converted to "Password&&" (if
> I type "Password&&" it works).
Could it be related to this patch where our JSON code mishandles %?
https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg00108.html
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20190103/1efa7940/attachment.sig>
More information about the Spice-devel
mailing list