1:08 p.m.
From: Aline Manera <alinefm(a)br.ibm.com>
noVNC and spice pages were not protected by authentication.
So if a non-authenticated user has access to the URL
http://host-ip:port/vnc.html?port=64667&path=?token=<my-vm>&...
he/she would be able to get control of the VM.
Fix it by using kimchiauth tool.
Signed-off-by: Aline Manera <alinefm(a)br.ibm.com>
---
src/kimchi/config.py.in | 32 ++++++++++++++++++++------------
tests/test_config.py.in | 32 ++++++++++++++++++++------------
2 files changed, 40 insertions(+), 24 deletions(-)
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
index ac1667e..858065c 100644
--- a/src/kimchi/config.py.in
+++ b/src/kimchi/config.py.in
@@ -167,18 +167,26 @@ class KimchiConfig(dict):
SESSIONSTIMEOUT = 10
kimchi_config = {
- '/': {'tools.trailing_slash.on': False,
- 'request.methods_with_bodies': ('POST', 'PUT'),
- 'tools.nocache.on': True,
- 'tools.proxy.on': True,
- 'tools.sessions.on': True,
- 'tools.sessions.name': 'kimchi',
- 'tools.sessions.secure': True,
- 'tools.sessions.httponly': True,
- 'tools.sessions.locking': 'explicit',
- 'tools.sessions.storage_type': 'ram',
- 'tools.sessions.timeout': SESSIONSTIMEOUT,
- 'tools.kimchiauth.on': False},
+ '/': {
+ 'tools.trailing_slash.on': False,
+ 'request.methods_with_bodies': ('POST', 'PUT'),
+ 'tools.nocache.on': True,
+ 'tools.proxy.on': True,
+ 'tools.sessions.on': True,
+ 'tools.sessions.name': 'kimchi',
+ 'tools.sessions.secure': True,
+ 'tools.sessions.httponly': True,
+ 'tools.sessions.locking': 'explicit',
+ 'tools.sessions.storage_type': 'ram',
+ 'tools.sessions.timeout': SESSIONSTIMEOUT,
+ 'tools.kimchiauth.on': False
+ },
+ '/vnc_auto.html': {
+ 'tools.kimchiauth.on': True
+ },
+ '/spice.html': {
+ 'tools.kimchiauth.on': True
+ },
'/data/screenshots': {
'tools.staticdir.on': True,
'tools.staticdir.dir': get_screenshot_path(),
diff --git a/tests/test_config.py.in b/tests/test_config.py.in
index 6965930..4e4375b 100644
--- a/tests/test_config.py.in
+++ b/tests/test_config.py.in
@@ -92,18 +92,26 @@ class ConfigTests(unittest.TestCase):
CACHEEXPIRES = 31536000
SESSIONSTIMEOUT = 10
configObj = {
- '/': {'tools.trailing_slash.on': False,
- 'request.methods_with_bodies': ('POST',
'PUT'),
- 'tools.nocache.on': True,
- 'tools.proxy.on': True,
- 'tools.sessions.on': True,
- 'tools.sessions.name': 'kimchi',
- 'tools.sessions.secure': True,
- 'tools.sessions.httponly': True,
- 'tools.sessions.locking': 'explicit',
- 'tools.sessions.storage_type': 'ram',
- 'tools.sessions.timeout': SESSIONSTIMEOUT,
- 'tools.kimchiauth.on': False},
+ '/': {
+ 'tools.trailing_slash.on': False,
+ 'request.methods_with_bodies': ('POST', 'PUT'),
+ 'tools.nocache.on': True,
+ 'tools.proxy.on': True,
+ 'tools.sessions.on': True,
+ 'tools.sessions.name': 'kimchi',
+ 'tools.sessions.secure': True,
+ 'tools.sessions.httponly': True,
+ 'tools.sessions.locking': 'explicit',
+ 'tools.sessions.storage_type': 'ram',
+ 'tools.sessions.timeout': SESSIONSTIMEOUT,
+ 'tools.kimchiauth.on': False
+ },
+ '/vnc_auto.html': {
+ 'tools.kimchiauth.on': True
+ },
+ '/spice.html': {
+ 'tools.kimchiauth.on': True
+ },
'/css': {
'tools.staticdir.on': True,
'tools.staticdir.dir': '%s/ui/css' % paths.prefix,
--
1.7.10.4