Topic "Password exported by "Generate session URL" has html encoded characters"

Author Message
Jochen Van den Bossche
[View user's profile]

Joined: 2015-08-25
Posts: 1
This is with WinSCP 5.7.5 (build 5665)

I have been given a password (that starts) with a comma ",".
For scripting purposes, I use the "Generate Session URL" feature. The result of which is for example:
sftp://myuser:%2Ccomma@sftp.server.com/dir1/dir2/

In that case the password was
,comma

When using that URL in a script the connection fails, If I adapt the URL to
sftp://myuser:,comma@sftp.server.com/dir1/dir2/
The connection works fine.

So there is a simple workaround, but some people might be get confused over this small bug.

J.
Advertisements
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24512
Location: Prague, Czechia
Thanks for your report.

I'm having no problems with this command:

open sftp://user:%2Ccomma@host/

Please attach a full log file showing the problem (using the latest version of WinSCP).

To generate log file, use /log=path_to_log_file command-line argument. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.
Guest




You state that
Quote:
Note that passwords and passphrases not stored in the log.

Therefore a log would not be useful at all.

That log would just say that the wrong password was used, which is perfectly correct.

The reason the wrong password is used is what counts: the "Generate Session URL" feature changes the password from the entered/stored one, when that password includes a comma.


Test case:
1) Set up an account with a password that begins with a comma
2) Make a new entry for that account in WinSCP, and store the password.
3) Connect to that account using the WinSCP GUI: works OK.
4) Now use the "Generate Session URL" feature to obtain an URL for that connection that can be used in a script.
You'll notice that the URL does not include a comma at all.
Where the passord is supposed to be (so immediatly after the colon) the first characters are %2C.
After that %2C are all remaining characters of the password (those after the comma) and then the @-character followed by the host etc
5) Using that URL in a script leads to a refused connection caused by bad credentials (which is correct)
6) If the log of the server would show the used password (I guess it won't) then that password would start with "%2C" instead of with ",".


I see two options for what you need to correct:
    A) "Generate Session URL" should not URL-encode the password string
    B) The script engine should convert the URL-encoded password back before sending it to a sever.

If you go for option B, I suggest adding a security improvement: if the scripting engine has to decode the password anyway, why not make it a bit more secure by really encrypting the passwords in the generated URLs?

I won't be following this up any more since my workaround is working fine.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24512
Location: Prague, Czechia
Anonymous wrote:
B) The script engine should convert the URL-encoded password back before sending it to a sever.

Of course it does.

Quote:
If you go for option B, I suggest adding a security improvement: if the scripting engine has to decode the password anyway, why not make it a bit more secure by really encrypting the passwords in the generated URLs?

That's not encryption. That's mere obfuscation.
See https://winscp.net/eng/docs/guide_protecting_credentials_for_automation

Quote:
I won't be following this up any more since my workaround is working fine.

Would you please attach the log anyway? It might be useful. You can even enable password logging in preferences (or use /loglevel=* command-line parameter).
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License