• Hello,

    My FOG version is : 1.5.9.3

    While testing the snapin function, I noticed that I see the FTP password in clear when I launched a wireshark capture on the client workstation during the execution of the task (in an HTTP stream) :
    pb fog.PNG

    Is it normal, a problem with my configuration or a bug?

    Thank you.


  • @sebastian-roth thank you!

  • Senior Developer

    @Tom-Elliott I just pushed the change to header("X-Sendfile: $filepath"); in both dev-branch and working-1.6.


  • @tom-elliott @Sebastian-Roth Thanks ! Happy to help you 😉

    Have a nice day !


  • @sebastian-roth and @o71 x-send file was enabled so snapins could be downloaded from the web server without needing to load the File entirely into php, lessening memory and what not. I believe the correct usage would be more what Sebastian suggested, giving the absolute path, not the actual file, and likely an over site from me when coding the section. Back when I put it in. I was pretty new to php, so forgive me. I never coded to purposely expose anything. I will make sure it’s fixed properly in working-1.6.

    Thanks for letting us know. Even if Apache isn’t supporting it, it doesn’t hurt anything and if somebody wants to use an engine that does support it, all the better.

  • Senior Developer

    @o71 Interesting find! This has been in the code since a long time (long before I joined the team) and I am not sure if it ever worked like expected.

    Digging way back into the code repo at sourceforge we used before github I think I found when this was added. Though this was part of a major code change and it’s not mentioned why.

    • SVN r3996 when this part of the code was in a different location (service/snapins.file.php)
    • SVN r4032 as the snapin code was moved to it’s own class/file and X-Sendfile header added - see line 53 and line 96 of SnapinClient.class.php

    @Tom-Elliott Do you remember why this header was added? I’d think we can just remove it as it never made it into the Apache code and the module is not being maintained anyway.

    If we want to keep the header I guess we should make it:

    header("X-Sendfile: $filepath");

  • I think the problem is in the file ‘lib/client/snapinclient.class.php’

    I suggest to replace line :

    header("X-Sendfile: $SnapinFile");
    

    By

    header("X-Sendfile: $file");
    

    What do you think about it ?

    Thanks

409
Online

8.7k
Users

15.4k
Topics

144.0k
Posts