Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#12415 closed Bug report (fixed)

keyboard-interactive duplicates & signs and adds > sign

Reported by: janoszen Owned by:
Priority: normal Component: FileZilla Client
Keywords: Cc:
Component version: 3.53.1 Operating system type: Windows
Operating system version: 10.0.19041 Build 19041

Description (last modified by janoszen)

When an SSH server issues a keyboard-interactive authentication to the client and the "instruction" field contains an & (and) sign (e.g. in an URL) the and sign is duplicated. Furthermore, it adds a > sign after a certain length.


| Please visit the following link to authenticate: | > =janoszen&&response_type=code&&state=73aaa57b018e4119a381da7b5a0fc06e 
| Please enter the code received:


Welcome to ContainerSSH!
Please visit the following link to authenticate:

Please enter the code received:

Please remove extra formatting from the challenge so links can be properly utilized.

Context: I'm the author of ContainerSSH and we are implementing OAuth2 authentication for SSH. The binaries for this feature are not released yet, but I'm happy to provide a testing server if needed.

Attachments (1)

Screenshot 2021-04-10 090513.png (27.2 KB ) - added by janoszen 2 years ago.

Download all attachments as: .zip

Change History (5)

by janoszen, 2 years ago


comment:1 by janoszen, 2 years ago

Description: modified (diff)

comment:2 by Tim Kosse, 2 years ago

Resolution: fixed
Status: newclosed

Two security measures at work here, slightly misplaced.

Ampersand doubling is from escaping them for labels so that they do not become mnemonics. The challenge isn't displayed in a label though. Will remove uneeded escapement.

SFTP support in FileZilla is based on PuTTY's psftp. The line length limiting comes from PuTTY which expects psftp to run in a console window. With the GUI in mind, I'll tweak the length limits.

Please try tomorrow's nightly build.

comment:3 by janoszen, 2 years ago

Awesome, I'll test it. The issue is also present in PuTTY, I submitted it to them too but have not yet received a response.

comment:4 by janoszen, 2 years ago

Thank you, the nightly indeed fixes this issue. However, we found another bug filed as #12422

Note: See TracTickets for help on using tickets.