Merge branch 'master' into 'release/1.3.2'

point noVNC to tip of 1.2.2 release

See merge request kasm-technologies/internal/KasmVNC!143

centos/kasmvncserver.spec

@@ -1,5 +1,5 @@
 Name:           kasmvncserver
-Version:        1.3.3
+Version:        1.2.0
 Release:        1%{?dist}
 Summary:        VNC server accessible from a web browser
 
@@ -83,27 +83,6 @@ cd $DST_MAN && ln -s vncpasswd.1 kasmvncpasswd.1;
 %doc /usr/share/doc/kasmvncserver/README.md
 
 %changelog
-* Fri Oct 25 2024 KasmTech <info@kasmweb.com> - 1.3.3-1
-- Allow disabling IP blacklist
-- Downloads API for detailed file downloads information
-* Tue Sep 24 2024 KasmTech <info@kasmweb.com> - 1.3.2-1
-- Disable seamless clipboard on Firefox by default, due to the Firefox overlaying a Paste menu over the canvas.
-- Fixed CVE-2024-38449, directory traversal bug in built-in web server.
-- Allow for larger header sizes, up to 16k. Provide better logging and handling for requests that contain HTTP headers that are larger than the 16k limit.
-- Fixed memory leak in kasmproxy.
-- Fixed mime types of downloads to ensure the browser interprets them as downloads.
-* Tue Mar 12 2024 KasmTech <info@kasmweb.com> - 1.3.1-1
-- Fix exception thrown on Firefox 124 and higher
-- Fix artifacts on high resolution secondary screens
-- Fixes for touch support on primary and secondary screens
-- Fix for Oculus keyboard input
-* Mon Feb 05 2024 KasmTech <info@kasmweb.com> - 1.3.0-1
-- Multi-monitor support.
-- Increased performance with watermark enabled.
-- Added support for Fedora 39 and Alpine 319.
-- Allow special characters in usernames.
-- Better logging of client settings when client connects or changes settings.
-- Add support for rotation of text-based watermark.
 * Fri Aug 25 2023 KasmTech <info@kasmweb.com> - 1.2.0-1
 - Add support for Unix relays for bidirectional communication between noVNC
   and containerized applications.

common/network/websocket.c

@@ -27,9 +27,6 @@
 #include <arpa/inet.h>
 #include <netdb.h>
 #include <fcntl.h>  // daemonizing
-#include <pwd.h>
-#include <grp.h>
-#include <wordexp.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 #include <openssl/bio.h> /* base64 encode/decode */
@@ -927,7 +924,7 @@ static void servefile(ws_ctx_t *ws_ctx, const char *in, const char * const user,
 
     // in case they percent-encoded dots
     if (strstr(buf, "../")) {
-        handler_msg("Attempted dir traversal attack, rejecting\n");
+        handler_msg("Attempted dir traversal attack, rejecting\n", len);
         goto nope;
     }
 
@@ -1639,103 +1636,6 @@ static uint8_t ownerapi(ws_ctx_t *ws_ctx, const char *in, const char * const use
         ws_send(ws_ctx, buf, strlen(buf));
         weblog(200, wsthread_handler_id, 0, origip, ip, user, 1, origpath, strlen(buf));
 
-        ret = 1;
-    } else entry("/api/downloads") {
-        char subpath[PATH_MAX] = "", startpath[PATH_MAX] = "~/Downloads", allpath[PATH_MAX];
-        param = parse_get(args, "path", &len);
-        if (len) {
-            memcpy(buf, param, len);
-            buf[len] = '\0';
-            percent_decode(buf, subpath, 0);
-
-            if (strstr(subpath, "../")) {
-                handler_msg("Attempted directory traversal in /api/downloads\n");
-                goto nope;
-            }
-        }
-
-        wordexp_t wexp;
-        if (!wordexp(startpath, &wexp, WRDE_NOCMD))
-            strcpy(startpath, wexp.we_wordv[0]);
-        else
-            goto nope;
-        wordfree(&wexp);
-
-        snprintf(allpath, PATH_MAX, "%s/%s", startpath, subpath);
-        allpath[PATH_MAX - 1] = '\0';
-
-        DIR *dir = opendir(allpath);
-        if (!dir) {
-            handler_msg("Requested dir does not exist\n");
-            goto nope;
-        }
-
-        sprintf(buf, "HTTP/1.1 200 OK\r\n"
-                 "Server: KasmVNC/4.0\r\n"
-                 "Connection: close\r\n"
-                 "Content-type: text/json\r\n"
-                 "%s"
-                 "\r\n", extra_headers ? extra_headers : "");
-        ws_send(ws_ctx, buf, strlen(buf));
-        len = 15;
-
-        ws_send(ws_ctx, "{ \"files\": [\n", 13);
-
-        struct dirent *ent;
-        unsigned char sent = 0;
-        while ((ent = readdir(dir))) {
-            if (!strcmp(ent->d_name, ".") || !strcmp(ent->d_name, ".."))
-                continue;
-
-            sprintf(path, "%s/%s", allpath, ent->d_name);
-            struct stat st;
-            if (lstat(path, &st))
-                continue;
-
-            char own[LOGIN_NAME_MAX], grp[LOGIN_NAME_MAX], perms[32];
-            sprintf(perms, "%03o", st.st_mode & 0777);
-
-            struct passwd pwdt, *pwdptr;
-            if (getpwuid_r(st.st_uid, &pwdt, buf, sizeof(buf), &pwdptr)) {
-                sprintf(own, "(unknown uid %u)", st.st_uid);
-            } else {
-                strcpy(own, pwdt.pw_name);
-            }
-
-            struct group grpt, *grpptr;
-            if (getgrgid_r(st.st_gid, &grpt, buf, sizeof(buf), &grpptr)) {
-                sprintf(grp, "(unknown gid %u)", st.st_gid);
-            } else {
-                strcpy(grp, grpt.gr_name);
-            }
-
-            sprintf(buf, "%s{ \"filename\": \"%s\", "
-                         "\"date_modified\": %lu, "
-                         "\"date_created\": %lu, "
-                         "\"is_dir\": %s, "
-                         "\"size\": %lu, "
-                         "\"owner\": \"%s\", "
-                         "\"group\": \"%s\", "
-                         "\"perms\": \"%s\" }",
-                         sent ? ",\n" : "",
-                         ent->d_name,
-                         st.st_mtime,
-                         st.st_ctime,
-                         S_ISDIR(st.st_mode) ? "true" : "false",
-                         S_ISDIR(st.st_mode) ? 0 : st.st_size,
-                         own,
-                         grp,
-                         perms);
-            sent = 1;
-            ws_send(ws_ctx, buf, strlen(buf));
-            len += strlen(buf);
-        }
-
-        ws_send(ws_ctx, "]}", 2);
-
-        closedir(dir);
-        weblog(200, wsthread_handler_id, 0, origip, ip, user, 1, origpath, len);
-
         ret = 1;
     }
 

common/rfb/Blacklist.cxx

@@ -42,9 +42,6 @@ Blacklist::~Blacklist() {
 }
 
 bool Blacklist::isBlackmarked(const char* name) {
-  if (!threshold)
-    return false;
-
   BlacklistMap::iterator i = blm.find(name);
   if (i == blm.end()) {
     // Entry is not already black-marked.

debian/changelog

@@ -1,40 +1,3 @@
-kasmvnc (1.3.3-1) unstable; urgency=medium
-
-  * Allow disabling IP blacklist
-  * Downloads API for detailed file downloads information
-
- -- Kasm Technologies LLC <info@kasmweb.com>  Fri, 25 Oct 2024 11:23:00 +0000
-
-kasmvnc (1.3.2-1) unstable; urgency=medium
-
-  * Disable seamless clipboard on Firefox by default, due to the Firefox overlaying a Paste menu over the canvas.
-  * Fixed CVE-2024-38449, directory traversal bug in built-in web server.
-  * Allow for larger header sizes, up to 16k. Provide better logging and handling for requests that contain HTTP headers that are larger than the 16k limit.
-  * Fixed memory leak in kasmproxy.
-  * Fixed mime types of downloads to ensure the browser interprets them as downloads.
-
- -- Kasm Technologies LLC <info@kasmweb.com>  Tue, 24 Sep 2024 11:23:00 +0000
-
-kasmvnc (1.3.1-1) unstable; urgency=medium
-
-  * Fix exception thrown on Firefox 124 and higher
-  * Fix artifacts on high resolution secondary screens
-  * Fixes for touch support on primary and secondary screens
-  * Fix for Oculus keyboard input
-
- -- Kasm Technologies LLC <info@kasmweb.com>  Mon, 12 Mar 2024 11:23:00 +0000
-
-kasmvnc (1.3.0-1) unstable; urgency=medium
-
-  * Multi-monitor support.
-  * Increased performance with watermark enabled.
-  * Added support for Fedora 39 and Alpine 319.
-  * Allow special characters in usernames.
-  * Better logging of client settings when client connects or changes settings.
-  * Add support for rotation of text-based watermark.
-
- -- Kasm Technologies LLC <info@kasmweb.com>  Mon, 02 Feb 2024 14:33:00 +0000
-
 kasmvnc (1.2.0-1) unstable; urgency=medium
 
   * Add support for Unix relays for bidirectional communication between noVNC

fedora/kasmvncserver.spec

@@ -1,5 +1,5 @@
 Name:           kasmvncserver
-Version:        1.3.3
+Version:        1.2.0
 Release:        1%{?dist}
 Summary:        VNC server accessible from a web browser
 
@@ -83,27 +83,6 @@ cd $DST_MAN && ln -s vncpasswd.1 kasmvncpasswd.1;
 %doc /usr/share/doc/kasmvncserver/README.md
 
 %changelog
-* Fri Oct 25 2024 KasmTech <info@kasmweb.com> - 1.3.3-1
-- Allow disabling IP blacklist
-- Downloads API for detailed file downloads information
-* Tue Sep 24 2024 KasmTech <info@kasmweb.com> - 1.3.2-1
-- Disable seamless clipboard on Firefox by default, due to the Firefox overlaying a Paste menu over the canvas.
-- Fixed CVE-2024-38449, directory traversal bug in built-in web server.
-- Allow for larger header sizes, up to 16k. Provide better logging and handling for requests that contain HTTP headers that are larger than the 16k limit.
-- Fixed memory leak in kasmproxy.
-- Fixed mime types of downloads to ensure the browser interprets them as downloads.
-* Tue Mar 12 2024 KasmTech <info@kasmweb.com> - 1.3.1-1
-- Fix exception thrown on Firefox 124 and higher
-- Fix artifacts on high resolution secondary screens
-- Fixes for touch support on primary and secondary screens
-- Fix for Oculus keyboard input
-* Mon Feb 05 2024 KasmTech <info@kasmweb.com> - 1.3.0-1
-- Multi-monitor support.
-- Increased performance with watermark enabled.
-- Added support for Fedora 39 and Alpine 319.
-- Allow special characters in usernames.
-- Better logging of client settings when client connects or changes settings.
-- Add support for rotation of text-based watermark.
 * Fri Aug 25 2023 KasmTech <info@kasmweb.com> - 1.2.0-1
 - Add support for Unix relays for bidirectional communication between noVNC
   and containerized applications.

opensuse/kasmvncserver.spec

@@ -1,5 +1,5 @@
 Name:           kasmvncserver
-Version:        1.3.3
+Version:        1.2.0
 Release:        leap15
 Summary:        VNC server accessible from a web browser
 
@@ -81,27 +81,6 @@ cd $DST_MAN && ln -s vncpasswd.1 kasmvncpasswd.1;
 %doc /usr/share/doc/kasmvncserver/README.md
 
 %changelog
-* Fri Oct 25 2024 KasmTech <info@kasmweb.com> - 1.3.3-1
-- Allow disabling IP blacklist
-- Downloads API for detailed file downloads information
-* Tue Sep 24 2024 KasmTech <info@kasmweb.com> - 1.3.2-1
-- Disable seamless clipboard on Firefox by default, due to the Firefox overlaying a Paste menu over the canvas.
-- Fixed CVE-2024-38449, directory traversal bug in built-in web server.
-- Allow for larger header sizes, up to 16k. Provide better logging and handling for requests that contain HTTP headers that are larger than the 16k limit.
-- Fixed memory leak in kasmproxy.
-- Fixed mime types of downloads to ensure the browser interprets them as downloads.
-* Tue Mar 12 2024 KasmTech <info@kasmweb.com> - 1.3.1-1
-- Fix exception thrown on Firefox 124 and higher
-- Fix artifacts on high resolution secondary screens
-- Fixes for touch support on primary and secondary screens
-- Fix for Oculus keyboard input
-* Mon Feb 05 2024 KasmTech <info@kasmweb.com> - 1.3.0-1
-- Multi-monitor support.
-- Increased performance with watermark enabled.
-- Added support for Fedora 39 and Alpine 319.
-- Allow special characters in usernames.
-- Better logging of client settings when client connects or changes settings.
-- Add support for rotation of text-based watermark.
 * Fri Aug 25 2023 KasmTech <info@kasmweb.com> - 1.2.0-leap15
 - Add support for Unix relays for bidirectional communication between noVNC
   and containerized applications.

oracle/kasmvncserver.spec

@@ -1,5 +1,5 @@
 Name:           kasmvncserver
-Version:        1.3.3
+Version:        1.2.0
 Release:        1%{?dist}
 Summary:        VNC server accessible from a web browser
 
@@ -82,27 +82,6 @@ cd $DST_MAN && ln -s vncpasswd.1 kasmvncpasswd.1;
 %doc /usr/share/doc/kasmvncserver/README.md
 
 %changelog
-* Fri Oct 25 2024 KasmTech <info@kasmweb.com> - 1.3.3-1
-- Allow disabling IP blacklist
-- Downloads API for detailed file downloads information
-* Tue Sep 24 2024 KasmTech <info@kasmweb.com> - 1.3.2-1
-- Disable seamless clipboard on Firefox by default, due to the Firefox overlaying a Paste menu over the canvas.
-- Fixed CVE-2024-38449, directory traversal bug in built-in web server.
-- Allow for larger header sizes, up to 16k. Provide better logging and handling for requests that contain HTTP headers that are larger than the 16k limit.
-- Fixed memory leak in kasmproxy.
-- Fixed mime types of downloads to ensure the browser interprets them as downloads.
-* Tue Mar 12 2024 KasmTech <info@kasmweb.com> - 1.3.1-1
-- Fix exception thrown on Firefox 124 and higher
-- Fix artifacts on high resolution secondary screens
-- Fixes for touch support on primary and secondary screens
-- Fix for Oculus keyboard input
-* Mon Feb 05 2024 KasmTech <info@kasmweb.com> - 1.3.0-1
-- Multi-monitor support.
-- Increased performance with watermark enabled.
-- Added support for Fedora 39 and Alpine 319.
-- Allow special characters in usernames.
-- Better logging of client settings when client connects or changes settings.
-- Add support for rotation of text-based watermark.
 * Fri Aug 25 2023 KasmTech <info@kasmweb.com> - 1.2.0-1
 - Add support for Unix relays for bidirectional communication between noVNC
   and containerized applications.

oracle/kasmvncserver9.spec

@@ -1,5 +1,5 @@
 Name:           kasmvncserver
-Version:        1.3.3
+Version:        1.2.0
 Release:        1%{?dist}
 Summary:        VNC server accessible from a web browser
 
@@ -82,27 +82,6 @@ cd $DST_MAN && ln -s vncpasswd.1 kasmvncpasswd.1;
 %doc /usr/share/doc/kasmvncserver/README.md
 
 %changelog
-* Fri Oct 25 2024 KasmTech <info@kasmweb.com> - 1.3.3-1
-- Allow disabling IP blacklist
-- Downloads API for detailed file downloads information
-* Tue Sep 24 2024 KasmTech <info@kasmweb.com> - 1.3.2-1
-- Disable seamless clipboard on Firefox by default, due to the Firefox overlaying a Paste menu over the canvas.
-- Fixed CVE-2024-38449, directory traversal bug in built-in web server.
-- Allow for larger header sizes, up to 16k. Provide better logging and handling for requests that contain HTTP headers that are larger than the 16k limit.
-- Fixed memory leak in kasmproxy.
-- Fixed mime types of downloads to ensure the browser interprets them as downloads.
-* Tue Mar 12 2024 KasmTech <info@kasmweb.com> - 1.3.1-1
-- Fix exception thrown on Firefox 124 and higher
-- Fix artifacts on high resolution secondary screens
-- Fixes for touch support on primary and secondary screens
-- Fix for Oculus keyboard input
-* Mon Feb 05 2024 KasmTech <info@kasmweb.com> - 1.3.0-1
-- Multi-monitor support.
-- Increased performance with watermark enabled.
-- Added support for Fedora 39 and Alpine 319.
-- Allow special characters in usernames.
-- Better logging of client settings when client connects or changes settings.
-- Add support for rotation of text-based watermark.
 * Fri Aug 25 2023 KasmTech <info@kasmweb.com> - 1.2.0-1
 - Add support for Unix relays for bidirectional communication between noVNC
   and containerized applications.

unix/xserver/hw/vnc/Xvnc.man

@@ -478,7 +478,7 @@ See the GnuTLS manual for possible values. Default is \fBNORMAL\fP.
 .TP
 .B \-BlacklistThreshold \fIcount\fP
 The number of unauthenticated connection attempts allowed from any individual
-host before that host is black-listed.  Default is 5. Set to 0 to disable.
+host before that host is black-listed.  Default is 5.
 .
 .TP
 .B \-BlacklistTimeout \fIseconds\fP

unix/xserver/hw/vnc/xvnc.c

@@ -96,7 +96,7 @@ from the X Consortium.
 #include "version-config.h"
 #include "site.h"
 
-#define XVNCVERSION "KasmVNC 1.3.3"
+#define XVNCVERSION "KasmVNC 1.2.0"
 #define XVNCCOPYRIGHT ("Copyright (C) 1999-2018 KasmVNC Team and many others (see README.me)\n" \
                        "See http://kasmweb.com for information on KasmVNC.\n")