From: Aline Manera <alinefm@br.ibm.com> noVNC and spice pages were not protected by authentication. So if a non-authenticated user has access to the URL http://host-ip:port/vnc.html?port=64667&path=?token=<my-vm>&encrypt=1 he/she would be able to get control of the VM. Fix it by using kimchiauth tool. Signed-off-by: Aline Manera <alinefm@br.ibm.com> --- src/kimchi/config.py.in | 32 ++++++++++++++++++++------------ tests/test_config.py.in | 32 ++++++++++++++++++++------------ 2 files changed, 40 insertions(+), 24 deletions(-) diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index ac1667e..858065c 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -167,18 +167,26 @@ class KimchiConfig(dict): SESSIONSTIMEOUT = 10 kimchi_config = { - '/': {'tools.trailing_slash.on': False, - 'request.methods_with_bodies': ('POST', 'PUT'), - 'tools.nocache.on': True, - 'tools.proxy.on': True, - 'tools.sessions.on': True, - 'tools.sessions.name': 'kimchi', - 'tools.sessions.secure': True, - 'tools.sessions.httponly': True, - 'tools.sessions.locking': 'explicit', - 'tools.sessions.storage_type': 'ram', - 'tools.sessions.timeout': SESSIONSTIMEOUT, - 'tools.kimchiauth.on': False}, + '/': { + 'tools.trailing_slash.on': False, + 'request.methods_with_bodies': ('POST', 'PUT'), + 'tools.nocache.on': True, + 'tools.proxy.on': True, + 'tools.sessions.on': True, + 'tools.sessions.name': 'kimchi', + 'tools.sessions.secure': True, + 'tools.sessions.httponly': True, + 'tools.sessions.locking': 'explicit', + 'tools.sessions.storage_type': 'ram', + 'tools.sessions.timeout': SESSIONSTIMEOUT, + 'tools.kimchiauth.on': False + }, + '/vnc_auto.html': { + 'tools.kimchiauth.on': True + }, + '/spice.html': { + 'tools.kimchiauth.on': True + }, '/data/screenshots': { 'tools.staticdir.on': True, 'tools.staticdir.dir': get_screenshot_path(), diff --git a/tests/test_config.py.in b/tests/test_config.py.in index 6965930..4e4375b 100644 --- a/tests/test_config.py.in +++ b/tests/test_config.py.in @@ -92,18 +92,26 @@ class ConfigTests(unittest.TestCase): CACHEEXPIRES = 31536000 SESSIONSTIMEOUT = 10 configObj = { - '/': {'tools.trailing_slash.on': False, - 'request.methods_with_bodies': ('POST', 'PUT'), - 'tools.nocache.on': True, - 'tools.proxy.on': True, - 'tools.sessions.on': True, - 'tools.sessions.name': 'kimchi', - 'tools.sessions.secure': True, - 'tools.sessions.httponly': True, - 'tools.sessions.locking': 'explicit', - 'tools.sessions.storage_type': 'ram', - 'tools.sessions.timeout': SESSIONSTIMEOUT, - 'tools.kimchiauth.on': False}, + '/': { + 'tools.trailing_slash.on': False, + 'request.methods_with_bodies': ('POST', 'PUT'), + 'tools.nocache.on': True, + 'tools.proxy.on': True, + 'tools.sessions.on': True, + 'tools.sessions.name': 'kimchi', + 'tools.sessions.secure': True, + 'tools.sessions.httponly': True, + 'tools.sessions.locking': 'explicit', + 'tools.sessions.storage_type': 'ram', + 'tools.sessions.timeout': SESSIONSTIMEOUT, + 'tools.kimchiauth.on': False + }, + '/vnc_auto.html': { + 'tools.kimchiauth.on': True + }, + '/spice.html': { + 'tools.kimchiauth.on': True + }, '/css': { 'tools.staticdir.on': True, 'tools.staticdir.dir': '%s/ui/css' % paths.prefix, -- 1.7.10.4