Opened 2 years ago
Closed 2 years ago
Last modified 2 years ago
#12415 closed Bug report (fixed)
keyboard-interactive duplicates & signs and adds > sign
|Reported by:||janoszen||Owned by:|
|Component version:||3.53.1||Operating system type:||Windows|
|Operating system version:||10.0.19041 Build 19041|
Description (last modified by )
When an SSH server issues a keyboard-interactive authentication to the client and the "instruction" field contains an & (and) sign (e.g. in an URL) the and sign is duplicated. Furthermore, it adds a > sign after a certain length.
| Please visit the following link to authenticate: | https://github.com/login/oauth/authorize?client_id=063fe6a5dd3849276f35&&login > =janoszen&&response_type=code&&state=73aaa57b018e4119a381da7b5a0fc06e | Please enter the code received:
Welcome to ContainerSSH! Please visit the following link to authenticate: https://github.com/login/oauth/authorize?client_id=063fe6a5dd3849276f35&login=janoszen&response_type=code&state=b7d0a882dae24d32b000993522b80dbf Please enter the code received:
Please remove extra formatting from the challenge so links can be properly utilized.
Context: I'm the author of ContainerSSH and we are implementing OAuth2 authentication for SSH. The binaries for this feature are not released yet, but I'm happy to provide a testing server if needed.
Change History (5)
by , 2 years ago
|Attachment:||Screenshot 2021-04-10 090513.png added|
comment:1 by , 2 years ago
comment:2 by , 2 years ago
|Status:||new → closed|
Two security measures at work here, slightly misplaced.
Ampersand doubling is from escaping them for labels so that they do not become mnemonics. The challenge isn't displayed in a label though. Will remove uneeded escapement.
SFTP support in FileZilla is based on PuTTY's psftp. The line length limiting comes from PuTTY which expects psftp to run in a console window. With the GUI in mind, I'll tweak the length limits.
Please try tomorrow's nightly build.
comment:3 by , 2 years ago
Awesome, I'll test it. The issue is also present in PuTTY, I submitted it to them too but have not yet received a response.
comment:4 by , 2 years ago
Thank you, the nightly indeed fixes this issue. However, we found another bug filed as #12422