On 07/28/2014 06:15 AM, Sheldon wrote:
On 07/26/2014 05:01 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera <alinefm@linux.vnet.ibm.com>
From python documentation, base64.urlsafe_b64encode(s) substitutes - instead of + and _ instead of / in the standard Base64 alphabet, BUT the result can still contain = which is not safe in a URL query component. As token value is not decoded nowhere, replace = by A
what about other character instead of A? such as "." or "~"
This is the base64 alphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
"A" is in the alphabet.
Ok. I will use . to replace =
or do not pad the encode string. some base64 variant has no pad character. http://en.wikipedia.org/wiki/Base64#Implementations_and_history
I think we can have problem in not using the pad if you have the same code string to different sentence Example: "abcd" = "YWJjZA=" "jdcf" = "YWJjZA" If we ignore the = in the first string we will have 2 matches to the different values. Not sure it can happen in real world, but I think it is safe to use . instead of =
Then in python, it can easy strip the "=" In [21]: s1 = base64.urlsafe_b64encode("abcd") In [22]: s1.rstrip("=") Out[22]: 'YWJjZA'
and In js add a funtion to $ git diff diff --git a/ui/js/src/kimchi.utils.js b/ui/js/src/kimchi.utils.js index 480b9b5..2d252a7 100644 --- a/ui/js/src/kimchi.utils.js +++ b/ui/js/src/kimchi.utils.js @@ -191,3 +191,8 @@ kimchi.urlSafeB64Decode = function(str) { kimchi.urlSafeB64Encode = function(str) { return btoa(str).replace(/\+/g, '-').replace(/\//g, '_'); } + +kimchi.padBase64 = function(str) { + padLen = str.length % 4; + return str + new Array(padLen? 4 - padLen + 1 : 0).join("="); +}
Now test this method: in python: In [40]: base64.urlsafe_b64encode("abcd") Out[40]: 'YWJjZA=='
In [41]: base64.urlsafe_b64encode("abcde") Out[41]: 'YWJjZGU='
In UI: kimchi.padBase64("YWJjZA") "YWJjZA=="
kimchi.padBase64("YWJjZGU") "YWJjZGU="
The problem with equals sign was only identified on Spice connections. noVNC can deal well with that.
For reference: https://docs.python.org/2/library/base64.html
Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/vnc.py | 9 ++++++++- ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 9380e21..4159049 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -54,7 +54,14 @@ def new_ws_proxy():
def add_proxy_token(name, port): with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: - name = base64.urlsafe_b64encode(name) + """ + From python documentation base64.urlsafe_b64encode(s) + substitutes - instead of + and _ instead of / in the + standard Base64 alphabet, BUT the result can still + contain = which is not safe in a URL query component. + As token value is not decoded nowhere, replace = by A + """ + name = base64.urlsafe_b64encode(name).replace('=', 'A') f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 8f5b68f..30360c5 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -352,7 +352,14 @@ var kimchi = { }).done(function() { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); @@ -377,7 +384,14 @@ var kimchi = { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; - url += "&token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url);