Opened 5 weeks ago

Closed 5 weeks ago

Last modified 5 weeks ago

#12415 closed Bug report (fixed)

keyboard-interactive duplicates & signs and adds > sign

Reported by: Janos Pasztor Owned by:
Priority: normal Component: FileZilla Client
Keywords: Cc:
Component version: 3.53.1 Operating system type: Windows
Operating system version: 10.0.19041 Build 19041

Description (last modified by Janos Pasztor)

When an SSH server issues a keyboard-interactive authentication to the client and the "instruction" field contains an & (and) sign (e.g. in an URL) the and sign is duplicated. Furthermore, it adds a > sign after a certain length.

Filezilla:

| Please visit the following link to authenticate: | https://github.com/login/oauth/authorize?client_id=063fe6a5dd3849276f35&&login > =janoszen&&response_type=code&&state=73aaa57b018e4119a381da7b5a0fc06e 
| Please enter the code received:

OpenSSH:

Welcome to ContainerSSH!
Please visit the following link to authenticate:
https://github.com/login/oauth/authorize?client_id=063fe6a5dd3849276f35&login=janoszen&response_type=code&state=b7d0a882dae24d32b000993522b80dbf

Please enter the code received:

Please remove extra formatting from the challenge so links can be properly utilized.

Context: I'm the author of ContainerSSH and we are implementing OAuth2 authentication for SSH. The binaries for this feature are not released yet, but I'm happy to provide a testing server if needed.

Attachments (1)

Screenshot 2021-04-10 090513.png (27.2 KB ) - added by Janos Pasztor 5 weeks ago.
Screenshot

Download all attachments as: .zip

Change History (5)

by Janos Pasztor, 5 weeks ago

Screenshot

comment:1 by Janos Pasztor, 5 weeks ago

Description: modified (diff)

comment:2 by Tim Kosse, 5 weeks ago

Resolution: fixed
Status: newclosed

Two security measures at work here, slightly misplaced.

Ampersand doubling is from escaping them for labels so that they do not become mnemonics. The challenge isn't displayed in a label though. Will remove uneeded escapement.

SFTP support in FileZilla is based on PuTTY's psftp. The line length limiting comes from PuTTY which expects psftp to run in a console window. With the GUI in mind, I'll tweak the length limits.

Please try tomorrow's nightly build.

comment:3 by Janos Pasztor, 5 weeks ago

Awesome, I'll test it. The issue is also present in PuTTY, I submitted it to them too but have not yet received a response.

comment:4 by Janos Pasztor, 5 weeks ago

Thank you, the nightly indeed fixes this issue. However, we found another bug filed as #12422

Note: See TracTickets for help on using tickets.