[Spice-devel] [Qemu-devel] Always get Invalid password while trying to connect to spice server
Christophe Fergeau
cfergeau at redhat.com
Fri Jan 4 10:06:06 UTC 2019
Hey,
On Thu, Jan 03, 2019 at 04:25:00PM -0600, Eric Blake wrote:
> On 12/27/18 8:51 AM, Niccolò Belli wrote:
> > On mercoledì 26 dicembre 2018 13:38:28 CET, Frediano Ziglio wrote:
> >> Yes, this looks like a format string error in the upper (not into
> >> spice) layer.
> >>
> >> This potentially is a security problem.
> >
> > Considering the spice server is exposed to the internet this is
> > definitely worth investigating.
> >
> >> The specific '%' character could be the issue, can you try others
> >> ('!', '@' and
> >> so on) ?
> >
> > I tried several other special characters and they all seems to work,
> > expect for "Password&&" which gets converted to "Password&&" (if
> > I type "Password&&" it works).
>
> Could it be related to this patch where our JSON code mishandles %?
> https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg00108.html
Yes definitely, this is where the patch came from.
Mentioning this spice issue is yet another thing I should have added in the
commit log, but which I only thought about *after* having sent the patch :)
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20190104/c558a1cb/attachment.sig>
More information about the Spice-devel
mailing list