[PATCH] bug fix: Avoid equals sign in VM console URL
From: Aline Manera <alinefm@linux.vnet.ibm.com>
From python documentation, base64.urlsafe_b64encode(s) substitutes - instead of + and _ instead of / in the standard Base64 alphabet, BUT the result can still contain = which is not safe in a URL query component. As token value is not decoded nowhere, replace = by A
The problem with equals sign was only identified on Spice connections. noVNC can deal well with that. For reference: https://docs.python.org/2/library/base64.html Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/vnc.py | 9 ++++++++- ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 9380e21..4159049 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -54,7 +54,14 @@ def new_ws_proxy(): def add_proxy_token(name, port): with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: - name = base64.urlsafe_b64encode(name) + """ + From python documentation base64.urlsafe_b64encode(s) + substitutes - instead of + and _ instead of / in the + standard Base64 alphabet, BUT the result can still + contain = which is not safe in a URL query component. + As token value is not decoded nowhere, replace = by A + """ + name = base64.urlsafe_b64encode(name).replace('=', 'A') f.write('%s: localhost:%s' % (name.encode('utf-8'), port)) diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 8f5b68f..30360c5 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -352,7 +352,14 @@ var kimchi = { }).done(function() { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); @@ -377,7 +384,14 @@ var kimchi = { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; - url += "&token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); -- 1.9.3
On 07/26/2014 05:01 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera <alinefm@linux.vnet.ibm.com>
From python documentation, base64.urlsafe_b64encode(s) substitutes - instead of + and _ instead of / in the standard Base64 alphabet, BUT the result can still contain = which is not safe in a URL query component. As token value is not decoded nowhere, replace = by A
what about other character instead of A? such as "." or "~" This is the base64 alphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=' "A" is in the alphabet. or do not pad the encode string. some base64 variant has no pad character. http://en.wikipedia.org/wiki/Base64#Implementations_and_history Then in python, it can easy strip the "=" In [21]: s1 = base64.urlsafe_b64encode("abcd") In [22]: s1.rstrip("=") Out[22]: 'YWJjZA' and In js add a funtion to $ git diff diff --git a/ui/js/src/kimchi.utils.js b/ui/js/src/kimchi.utils.js index 480b9b5..2d252a7 100644 --- a/ui/js/src/kimchi.utils.js +++ b/ui/js/src/kimchi.utils.js @@ -191,3 +191,8 @@ kimchi.urlSafeB64Decode = function(str) { kimchi.urlSafeB64Encode = function(str) { return btoa(str).replace(/\+/g, '-').replace(/\//g, '_'); } + +kimchi.padBase64 = function(str) { + padLen = str.length % 4; + return str + new Array(padLen? 4 - padLen + 1 : 0).join("="); +} Now test this method: in python: In [40]: base64.urlsafe_b64encode("abcd") Out[40]: 'YWJjZA==' In [41]: base64.urlsafe_b64encode("abcde") Out[41]: 'YWJjZGU=' In UI: kimchi.padBase64("YWJjZA") "YWJjZA==" kimchi.padBase64("YWJjZGU") "YWJjZGU="
The problem with equals sign was only identified on Spice connections. noVNC can deal well with that.
For reference: https://docs.python.org/2/library/base64.html
Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/vnc.py | 9 ++++++++- ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 9380e21..4159049 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -54,7 +54,14 @@ def new_ws_proxy():
def add_proxy_token(name, port): with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: - name = base64.urlsafe_b64encode(name) + """ + From python documentation base64.urlsafe_b64encode(s) + substitutes - instead of + and _ instead of / in the + standard Base64 alphabet, BUT the result can still + contain = which is not safe in a URL query component. + As token value is not decoded nowhere, replace = by A + """ + name = base64.urlsafe_b64encode(name).replace('=', 'A') f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 8f5b68f..30360c5 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -352,7 +352,14 @@ var kimchi = { }).done(function() { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); @@ -377,7 +384,14 @@ var kimchi = { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; - url += "&token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url);
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
On 07/28/2014 06:15 AM, Sheldon wrote:
On 07/26/2014 05:01 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera <alinefm@linux.vnet.ibm.com>
From python documentation, base64.urlsafe_b64encode(s) substitutes - instead of + and _ instead of / in the standard Base64 alphabet, BUT the result can still contain = which is not safe in a URL query component. As token value is not decoded nowhere, replace = by A
what about other character instead of A? such as "." or "~"
This is the base64 alphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
"A" is in the alphabet.
Ok. I will use . to replace =
or do not pad the encode string. some base64 variant has no pad character. http://en.wikipedia.org/wiki/Base64#Implementations_and_history
I think we can have problem in not using the pad if you have the same code string to different sentence Example: "abcd" = "YWJjZA=" "jdcf" = "YWJjZA" If we ignore the = in the first string we will have 2 matches to the different values. Not sure it can happen in real world, but I think it is safe to use . instead of =
Then in python, it can easy strip the "=" In [21]: s1 = base64.urlsafe_b64encode("abcd") In [22]: s1.rstrip("=") Out[22]: 'YWJjZA'
and In js add a funtion to $ git diff diff --git a/ui/js/src/kimchi.utils.js b/ui/js/src/kimchi.utils.js index 480b9b5..2d252a7 100644 --- a/ui/js/src/kimchi.utils.js +++ b/ui/js/src/kimchi.utils.js @@ -191,3 +191,8 @@ kimchi.urlSafeB64Decode = function(str) { kimchi.urlSafeB64Encode = function(str) { return btoa(str).replace(/\+/g, '-').replace(/\//g, '_'); } + +kimchi.padBase64 = function(str) { + padLen = str.length % 4; + return str + new Array(padLen? 4 - padLen + 1 : 0).join("="); +}
Now test this method: in python: In [40]: base64.urlsafe_b64encode("abcd") Out[40]: 'YWJjZA=='
In [41]: base64.urlsafe_b64encode("abcde") Out[41]: 'YWJjZGU='
In UI: kimchi.padBase64("YWJjZA") "YWJjZA=="
kimchi.padBase64("YWJjZGU") "YWJjZGU="
The problem with equals sign was only identified on Spice connections. noVNC can deal well with that.
For reference: https://docs.python.org/2/library/base64.html
Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/vnc.py | 9 ++++++++- ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 9380e21..4159049 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -54,7 +54,14 @@ def new_ws_proxy():
def add_proxy_token(name, port): with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: - name = base64.urlsafe_b64encode(name) + """ + From python documentation base64.urlsafe_b64encode(s) + substitutes - instead of + and _ instead of / in the + standard Base64 alphabet, BUT the result can still + contain = which is not safe in a URL query component. + As token value is not decoded nowhere, replace = by A + """ + name = base64.urlsafe_b64encode(name).replace('=', 'A') f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 8f5b68f..30360c5 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -352,7 +352,14 @@ var kimchi = { }).done(function() { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); @@ -377,7 +384,14 @@ var kimchi = { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; - url += "&token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url);
On 07/28/2014 08:28 PM, Aline Manera wrote:
>
> On 07/28/2014 06:15 AM, Sheldon wrote:
>> On 07/26/2014 05:01 AM, alinefm@linux.vnet.ibm.com wrote:
>>> From: Aline Manera <alinefm@linux.vnet.ibm.com>
>>>
>>> >From python documentation, base64.urlsafe_b64encode(s) substitutes
>>> - instead
>>> of + and _ instead of / in the standard Base64 alphabet, BUT the
>>> result can
>>> still contain = which is not safe in a URL query component.
>>> As token value is not decoded nowhere, replace = by A
>>
>> what about other character instead of A? such as "." or "~"
>>
>> This is the base64 alphabet:
>> 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
>>
>> "A" is in the alphabet.
>>
>
> Ok. I will use . to replace =
>
>>
>> or do not pad the encode string.
>> some base64 variant has no pad character.
>> http://en.wikipedia.org/wiki/Base64#Implementations_and_history
>>
>
> I think we can have problem in not using the pad if you have the same
> code string to different sentence
> Example:
>
> "abcd" = "YWJjZA="
> "jdcf" = "YWJjZA"
in python, I have try:
In [51]: base64.urlsafe_b64encode("jdcf")
Out[51]: 'amRjZg=='
In [52]: base64.urlsafe_b64encode("abcd")
Out[52]: 'YWJjZA=='
and in UI I also try:
atob("YWJjZA")
"abcd"
atob("YWJjZA=")
[Exception... "String contains an invalid character" code: "5"
nsresult: "0x80530005 (InvalidCharacterError)" location: "<unknown>"]
atob("YWJjZA==")
"abcd"
>
> If we ignore the = in the first string we will have 2 matches to the
> different values.
> Not sure it can happen in real world, but I think it is safe to use .
> instead of =
>
>>
>> Then in python, it can easy strip the "="
>> In [21]: s1 = base64.urlsafe_b64encode("abcd")
>> In [22]: s1.rstrip("=")
>> Out[22]: 'YWJjZA'
>>
>> and In js add a funtion to
>> $ git diff
>> diff --git a/ui/js/src/kimchi.utils.js b/ui/js/src/kimchi.utils.js
>> index 480b9b5..2d252a7 100644
>> --- a/ui/js/src/kimchi.utils.js
>> +++ b/ui/js/src/kimchi.utils.js
>> @@ -191,3 +191,8 @@ kimchi.urlSafeB64Decode = function(str) {
>> kimchi.urlSafeB64Encode = function(str) {
>> return btoa(str).replace(/\+/g, '-').replace(/\//g, '_');
>> }
>> +
>> +kimchi.padBase64 = function(str) {
>> + padLen = str.length % 4;
>> + return str + new Array(padLen? 4 - padLen + 1 : 0).join("=");
>> +}
>>
>>
>> Now test this method:
>> in python:
>> In [40]: base64.urlsafe_b64encode("abcd")
>> Out[40]: 'YWJjZA=='
>>
>> In [41]: base64.urlsafe_b64encode("abcde")
>> Out[41]: 'YWJjZGU='
>>
>> In UI:
>> kimchi.padBase64("YWJjZA")
>> "YWJjZA=="
>>
>> kimchi.padBase64("YWJjZGU")
>> "YWJjZGU="
>>
>>
>>>
>>> The problem with equals sign was only identified on Spice connections.
>>> noVNC can deal well with that.
>>>
>>> For reference: https://docs.python.org/2/library/base64.html
>>>
>>> Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com>
>>> ---
>>> src/kimchi/vnc.py | 9 ++++++++-
>>> ui/js/src/kimchi.api.js | 18 ++++++++++++++++--
>>> 2 files changed, 24 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py
>>> index 9380e21..4159049 100644
>>> --- a/src/kimchi/vnc.py
>>> +++ b/src/kimchi/vnc.py
>>> @@ -54,7 +54,14 @@ def new_ws_proxy():
>>>
>>> def add_proxy_token(name, port):
>>> with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f:
>>> - name = base64.urlsafe_b64encode(name)
>>> + """
>>> + From python documentation base64.urlsafe_b64encode(s)
>>> + substitutes - instead of + and _ instead of / in the
>>> + standard Base64 alphabet, BUT the result can still
>>> + contain = which is not safe in a URL query component.
>>> + As token value is not decoded nowhere, replace = by A
>>> + """
>>> + name = base64.urlsafe_b64encode(name).replace('=', 'A')
>>> f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
>>>
>>>
>>> diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
>>> index 8f5b68f..30360c5 100644
>>> --- a/ui/js/src/kimchi.api.js
>>> +++ b/ui/js/src/kimchi.api.js
>>> @@ -352,7 +352,14 @@ var kimchi = {
>>> }).done(function() {
>>> url = 'https://' + location.hostname + ':' +
>>> proxy_port;
>>> url += "/console.html?url=vnc_auto.html&port=" +
>>> proxy_port;
>>> - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm);
>>> + /*
>>> + * From python documentation
>>> base64.urlsafe_b64encode(s)
>>> + * substitutes - instead of + and _ instead of / in
>>> the
>>> + * standard Base64 alphabet, BUT the result can still
>>> + * contain = which is not safe in a URL query
>>> component.
>>> + * As token value is not decoded nowhere, replace =
>>> by A
>>> + * */
>>> + url += "&path=?token=" +
>>> kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A');
>>> url += "&kimchi=" + location.port;
>>> url += '&encrypt=1';
>>> window.open(url);
>>> @@ -377,7 +384,14 @@ var kimchi = {
>>> url = 'https://' + location.hostname + ':' +
>>> proxy_port;
>>> url += "/console.html?url=spice.html&port=" +
>>> proxy_port;
>>> url += "&listen=" + location.hostname;
>>> - url += "&token=" + kimchi.urlSafeB64Encode(vm);
>>> + /*
>>> + * From python documentation
>>> base64.urlsafe_b64encode(s)
>>> + * substitutes - instead of + and _ instead of / in
>>> the
>>> + * standard Base64 alphabet, BUT the result can still
>>> + * contain = which is not safe in a URL query
>>> component.
>>> + * As token value is not decoded nowhere, replace =
>>> by A
>>> + * */
>>> + url += "&token=" +
>>> kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A');
>>> url += "&kimchi=" + location.port;
>>> url += '&encrypt=1';
>>> window.open(url);
>>
>>
>
>
>
--
Thanks and best regards!
Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com>
IBM Linux Technology Center
On 07/28/2014 11:15 AM, Sheldon wrote:
> On 07/28/2014 08:28 PM, Aline Manera wrote:
>>
>> On 07/28/2014 06:15 AM, Sheldon wrote:
>>> On 07/26/2014 05:01 AM, alinefm@linux.vnet.ibm.com wrote:
>>>> From: Aline Manera <alinefm@linux.vnet.ibm.com>
>>>>
>>>> >From python documentation, base64.urlsafe_b64encode(s) substitutes
>>>> - instead
>>>> of + and _ instead of / in the standard Base64 alphabet, BUT the
>>>> result can
>>>> still contain = which is not safe in a URL query component.
>>>> As token value is not decoded nowhere, replace = by A
>>>
>>> what about other character instead of A? such as "." or "~"
>>>
>>> This is the base64 alphabet:
>>> 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
>>>
>>> "A" is in the alphabet.
>>>
>>
>> Ok. I will use . to replace =
>>
>>>
>>> or do not pad the encode string.
>>> some base64 variant has no pad character.
>>> http://en.wikipedia.org/wiki/Base64#Implementations_and_history
>>>
>>
>> I think we can have problem in not using the pad if you have the same
>> code string to different sentence
>> Example:
>>
>> "abcd" = "YWJjZA="
>> "jdcf" = "YWJjZA"
>
> in python, I have try:
>
> In [51]: base64.urlsafe_b64encode("jdcf")
> Out[51]: 'amRjZg=='
>
> In [52]: base64.urlsafe_b64encode("abcd")
> Out[52]: 'YWJjZA=='
>
>
> and in UI I also try:
> atob("YWJjZA")
> "abcd"
> atob("YWJjZA=")
> [Exception... "String contains an invalid character" code: "5"
> nsresult: "0x80530005 (InvalidCharacterError)" location: "<unknown>"]
> atob("YWJjZA==")
> "abcd"
>
Ok. I will remove the padding encode
>
>>
>> If we ignore the = in the first string we will have 2 matches to the
>> different values.
>> Not sure it can happen in real world, but I think it is safe to use .
>> instead of =
>>
>>>
>>> Then in python, it can easy strip the "="
>>> In [21]: s1 = base64.urlsafe_b64encode("abcd")
>>> In [22]: s1.rstrip("=")
>>> Out[22]: 'YWJjZA'
>>>
>>> and In js add a funtion to
>>> $ git diff
>>> diff --git a/ui/js/src/kimchi.utils.js b/ui/js/src/kimchi.utils.js
>>> index 480b9b5..2d252a7 100644
>>> --- a/ui/js/src/kimchi.utils.js
>>> +++ b/ui/js/src/kimchi.utils.js
>>> @@ -191,3 +191,8 @@ kimchi.urlSafeB64Decode = function(str) {
>>> kimchi.urlSafeB64Encode = function(str) {
>>> return btoa(str).replace(/\+/g, '-').replace(/\//g, '_');
>>> }
>>> +
>>> +kimchi.padBase64 = function(str) {
>>> + padLen = str.length % 4;
>>> + return str + new Array(padLen? 4 - padLen + 1 : 0).join("=");
>>> +}
>>>
>>>
>>> Now test this method:
>>> in python:
>>> In [40]: base64.urlsafe_b64encode("abcd")
>>> Out[40]: 'YWJjZA=='
>>>
>>> In [41]: base64.urlsafe_b64encode("abcde")
>>> Out[41]: 'YWJjZGU='
>>>
>>> In UI:
>>> kimchi.padBase64("YWJjZA")
>>> "YWJjZA=="
>>>
>>> kimchi.padBase64("YWJjZGU")
>>> "YWJjZGU="
>>>
>>>
>>>>
>>>> The problem with equals sign was only identified on Spice connections.
>>>> noVNC can deal well with that.
>>>>
>>>> For reference: https://docs.python.org/2/library/base64.html
>>>>
>>>> Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com>
>>>> ---
>>>> src/kimchi/vnc.py | 9 ++++++++-
>>>> ui/js/src/kimchi.api.js | 18 ++++++++++++++++--
>>>> 2 files changed, 24 insertions(+), 3 deletions(-)
>>>>
>>>> diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py
>>>> index 9380e21..4159049 100644
>>>> --- a/src/kimchi/vnc.py
>>>> +++ b/src/kimchi/vnc.py
>>>> @@ -54,7 +54,14 @@ def new_ws_proxy():
>>>>
>>>> def add_proxy_token(name, port):
>>>> with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f:
>>>> - name = base64.urlsafe_b64encode(name)
>>>> + """
>>>> + From python documentation base64.urlsafe_b64encode(s)
>>>> + substitutes - instead of + and _ instead of / in the
>>>> + standard Base64 alphabet, BUT the result can still
>>>> + contain = which is not safe in a URL query component.
>>>> + As token value is not decoded nowhere, replace = by A
>>>> + """
>>>> + name = base64.urlsafe_b64encode(name).replace('=', 'A')
>>>> f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
>>>>
>>>>
>>>> diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
>>>> index 8f5b68f..30360c5 100644
>>>> --- a/ui/js/src/kimchi.api.js
>>>> +++ b/ui/js/src/kimchi.api.js
>>>> @@ -352,7 +352,14 @@ var kimchi = {
>>>> }).done(function() {
>>>> url = 'https://' + location.hostname + ':' +
>>>> proxy_port;
>>>> url += "/console.html?url=vnc_auto.html&port=" +
>>>> proxy_port;
>>>> - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm);
>>>> + /*
>>>> + * From python documentation
>>>> base64.urlsafe_b64encode(s)
>>>> + * substitutes - instead of + and _ instead of /
>>>> in the
>>>> + * standard Base64 alphabet, BUT the result can still
>>>> + * contain = which is not safe in a URL query
>>>> component.
>>>> + * As token value is not decoded nowhere, replace
>>>> = by A
>>>> + * */
>>>> + url += "&path=?token=" +
>>>> kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A');
>>>> url += "&kimchi=" + location.port;
>>>> url += '&encrypt=1';
>>>> window.open(url);
>>>> @@ -377,7 +384,14 @@ var kimchi = {
>>>> url = 'https://' + location.hostname + ':' +
>>>> proxy_port;
>>>> url += "/console.html?url=spice.html&port=" +
>>>> proxy_port;
>>>> url += "&listen=" + location.hostname;
>>>> - url += "&token=" + kimchi.urlSafeB64Encode(vm);
>>>> + /*
>>>> + * From python documentation
>>>> base64.urlsafe_b64encode(s)
>>>> + * substitutes - instead of + and _ instead of /
>>>> in the
>>>> + * standard Base64 alphabet, BUT the result can still
>>>> + * contain = which is not safe in a URL query
>>>> component.
>>>> + * As token value is not decoded nowhere, replace
>>>> = by A
>>>> + * */
>>>> + url += "&token=" +
>>>> kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A');
>>>> url += "&kimchi=" + location.port;
>>>> url += '&encrypt=1';
>>>> window.open(url);
>>>
>>>
>>
>>
>>
>
>
On 07/26/2014 05:01 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera <alinefm@linux.vnet.ibm.com>
From python documentation, base64.urlsafe_b64encode(s) substitutes - instead of + and _ instead of / in the standard Base64 alphabet, BUT the result can still contain = which is not safe in a URL query component. As token value is not decoded nowhere, replace = by A also in our kimchi I have try: In [45]: base64.urlsafe_b64encode("abcd") Out[45]: 'YWJjZA==' In [41]: base64.urlsafe_b64encode("abcde") Out[41]: 'YWJjZGU='
JS is very cool, it can decode base64 without "=" padding well kimchi.urlSafeB64Decode("YWJjZA") "abcd" kimchi.urlSafeB64Decode("YWJjZGU") "abcde" we just need in python: In [48]: base64.urlsafe_b64encode("abcd").rstrip("=") Out[48]: 'YWJjZA'
The problem with equals sign was only identified on Spice connections. noVNC can deal well with that.
For reference: https://docs.python.org/2/library/base64.html
Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/vnc.py | 9 ++++++++- ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 9380e21..4159049 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -54,7 +54,14 @@ def new_ws_proxy():
def add_proxy_token(name, port): with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: - name = base64.urlsafe_b64encode(name) + """ + From python documentation base64.urlsafe_b64encode(s) + substitutes - instead of + and _ instead of / in the + standard Base64 alphabet, BUT the result can still + contain = which is not safe in a URL query component. + As token value is not decoded nowhere, replace = by A + """ + name = base64.urlsafe_b64encode(name).replace('=', 'A') f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 8f5b68f..30360c5 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -352,7 +352,14 @@ var kimchi = { }).done(function() { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); @@ -377,7 +384,14 @@ var kimchi = { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; - url += "&token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url);
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
Reviewed-by: Daniel Barboza <danielhb@linux.vnet.ibm.com> On 07/25/2014 06:01 PM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera <alinefm@linux.vnet.ibm.com>
From python documentation, base64.urlsafe_b64encode(s) substitutes - instead of + and _ instead of / in the standard Base64 alphabet, BUT the result can still contain = which is not safe in a URL query component. As token value is not decoded nowhere, replace = by A
The problem with equals sign was only identified on Spice connections. noVNC can deal well with that.
For reference: https://docs.python.org/2/library/base64.html
Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/vnc.py | 9 ++++++++- ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 9380e21..4159049 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -54,7 +54,14 @@ def new_ws_proxy():
def add_proxy_token(name, port): with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: - name = base64.urlsafe_b64encode(name) + """ + From python documentation base64.urlsafe_b64encode(s) + substitutes - instead of + and _ instead of / in the + standard Base64 alphabet, BUT the result can still + contain = which is not safe in a URL query component. + As token value is not decoded nowhere, replace = by A + """ + name = base64.urlsafe_b64encode(name).replace('=', 'A') f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 8f5b68f..30360c5 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -352,7 +352,14 @@ var kimchi = { }).done(function() { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); @@ -377,7 +384,14 @@ var kimchi = { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; - url += "&token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url);
participants (4)
-
Aline Manera -
alinefm@linux.vnet.ibm.com
-
Daniel H Barboza -
Sheldon