janitor icon indicating copy to clipboard operation
janitor copied to clipboard
verified publisher icon JanitorTechnology

UI inconsistency in SSH key setting

Open bnjbvr opened this issue 8 years ago • 1 comments

STR

  1. log in
  2. go to Settings
  3. fill a SSH key that ends by an email address [email protected]
  4. blur SSH key text field
  5. the email is still in the text field
  6. move tab/section and get back to Settings / SSH

Expected

Since it was there after saving (step 5), the email should still appear in the text field.

Observed

After getting back to this text field (step 6), the email has disappeared...

bnjbvr avatar Oct 04 '17 14:10 bnjbvr

Thanks for filing this bug!

The email part of an SSH key is a comment, and we strip it away while validating it (to prevent emails like [email protected]" && cat /etc/passwd && echo " which I think are accepted in the SSH key format, but would exploit our shell into misbehaving).

Note: Nowadays, such a malicious email should no longer cause our shell to misbehave, since we've moved from templated docker.exec calls to docker.putArchive.

Second note: This SSH field should be removed soon, and should be editable instead from your Configurations page (and this would also allow you to add email comments, as well as multiple SSH public keys).

jankeromnes avatar Oct 04 '17 14:10 jankeromnes