Snapin and ftp password
My FOG version is : 126.96.36.199
While testing the snapin function, I noticed that I see the FTP password in clear when I launched a wireshark capture on the client workstation during the execution of the task (in an HTTP stream) :
Is it normal, a problem with my configuration or a bug?
@sebastian-roth thank you!
@Tom-Elliott I just pushed the change to
header("X-Sendfile: $filepath");in both dev-branch and working-1.6.
@sebastian-roth and @o71 x-send file was enabled so snapins could be downloaded from the web server without needing to load the File entirely into php, lessening memory and what not. I believe the correct usage would be more what Sebastian suggested, giving the absolute path, not the actual file, and likely an over site from me when coding the section. Back when I put it in. I was pretty new to php, so forgive me. I never coded to purposely expose anything. I will make sure it’s fixed properly in working-1.6.
Thanks for letting us know. Even if Apache isn’t supporting it, it doesn’t hurt anything and if somebody wants to use an engine that does support it, all the better.
@o71 Interesting find! This has been in the code since a long time (long before I joined the team) and I am not sure if it ever worked like expected.
Digging way back into the code repo at sourceforge we used before github I think I found when this was added. Though this was part of a major code change and it’s not mentioned why.
- SVN r3996 when this part of the code was in a different location (service/snapins.file.php)
- SVN r4032 as the snapin code was moved to it’s own class/file and X-Sendfile header added - see line 53 and line 96 of SnapinClient.class.php
If we want to keep the header I guess we should make it:
I think the problem is in the file ‘lib/client/snapinclient.class.php’
I suggest to replace line :
What do you think about it ?