mirror of
https://github.com/bolkedebruin/rdpgw.git
synced 2026-05-12 19:30:04 +00:00
cbb1e5feb3
The .rdp file format is line-delimited (key:type:value\r\n), and an unfiltered \r, \n, or NUL inside a string field is reinterpreted by RDP clients as a directive boundary. A username flowing in from any of OIDC, header auth, NTLM, or the URL-override path could therefore inject arbitrary additional directives — e.g. `alternate shell:s:cmd.exe` — and when RDP signing is enabled the malicious payload is signed as authentic, producing a one-click client-side RCE on every user who opens the file. Strip bytes < 0x20 and 0x7F at the renderer chokepoint (addStructToString), so every source path — caller, template file, ApplyOverrides, anything future — passes through the same filter. Legitimate values (usernames, base64url tokens, hostnames) contain no such bytes, so the filter is a no-op for normal input. Stripping is logged so operators can spot rejected input. Adds TestStringFieldBoundaryHygiene covering CRLF in username, domain and full address; bare LF in alternate shell; and embedded NUL. Co-authored-by: Bolke de Bruin <bolke.debruin@metyis.com>