On 07/26/2014 05:01 AM, alinefm(a)linux.vnet.ibm.com wrote: > From: Aline Manera <alinefm(a)linux.vnet.ibm.com&gt; > > >From python documentation, base64.urlsafe_b64encode(s) substitutes - > instead > of + and _ instead of / in the standard Base64 alphabet, BUT the > result can > still contain = which is not safe in a URL query component. > As token value is not decoded nowhere, replace = by A what about other character instead of A? such as "." or "~" This is the base64 alphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=' "A" is in the alphabet.

or do not pad the encode string. some base64 variant has no pad character. http://en.wikipedia.org/wiki/Base64#Implementations_and_history

Then in python, it can easy strip the "=" In [21]: s1 = base64.urlsafe_b64encode("abcd") In [22]: s1.rstrip("=") Out[22]: 'YWJjZA' and In js add a funtion to $ git diff diff --git a/ui/js/src/kimchi.utils.js b/ui/js/src/kimchi.utils.js index 480b9b5..2d252a7 100644 --- a/ui/js/src/kimchi.utils.js +++ b/ui/js/src/kimchi.utils.js @@ -191,3 +191,8 @@ kimchi.urlSafeB64Decode = function(str) { kimchi.urlSafeB64Encode = function(str) { return btoa(str).replace(/\+/g, '-').replace(/\//g, '_'); } + +kimchi.padBase64 = function(str) { + padLen = str.length % 4; + return str + new Array(padLen? 4 - padLen + 1 : 0).join("="); +} Now test this method: in python: In [40]: base64.urlsafe_b64encode("abcd") Out[40]: 'YWJjZA==' In [41]: base64.urlsafe_b64encode("abcde") Out[41]: 'YWJjZGU=' In UI: kimchi.padBase64("YWJjZA") "YWJjZA==" kimchi.padBase64("YWJjZGU") "YWJjZGU=" > > The problem with equals sign was only identified on Spice connections. > noVNC can deal well with that. > > For reference: https://docs.python.org/2/library/base64.html > > Signed-off-by: Aline Manera <alinefm(a)linux.vnet.ibm.com&gt; > --- > src/kimchi/vnc.py | 9 ++++++++- > ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- > 2 files changed, 24 insertions(+), 3 deletions(-) > > diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py > index 9380e21..4159049 100644 > --- a/src/kimchi/vnc.py > +++ b/src/kimchi/vnc.py > @@ -54,7 +54,14 @@ def new_ws_proxy(): > > def add_proxy_token(name, port): > with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: > - name = base64.urlsafe_b64encode(name) > + """ > + From python documentation base64.urlsafe_b64encode(s) > + substitutes - instead of + and _ instead of / in the > + standard Base64 alphabet, BUT the result can still > + contain = which is not safe in a URL query component. > + As token value is not decoded nowhere, replace = by A > + """ > + name = base64.urlsafe_b64encode(name).replace('=', 'A') > f.write('%s: localhost:%s' % (name.encode('utf-8'), port)) > > > diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js > index 8f5b68f..30360c5 100644 > --- a/ui/js/src/kimchi.api.js > +++ b/ui/js/src/kimchi.api.js > @@ -352,7 +352,14 @@ var kimchi = { > }).done(function() { > url = 'https://' + location.hostname + ':' + > proxy_port; > url += "/console.html?url=vnc_auto.html&port=" + > proxy_port; > - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); > + /* > + * From python documentation > base64.urlsafe_b64encode(s) > + * substitutes - instead of + and _ instead of / in the > + * standard Base64 alphabet, BUT the result can still > + * contain = which is not safe in a URL query > component. > + * As token value is not decoded nowhere, replace = > by A > + * */ > + url += "&path=?token=" + > kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); > url += "&kimchi=" + location.port; > url += '&encrypt=1'; > window.open(url); > @@ -377,7 +384,14 @@ var kimchi = { > url = 'https://' + location.hostname + ':' + > proxy_port; > url += "/console.html?url=spice.html&port=" + > proxy_port; > url += "&listen=" + location.hostname; > - url += "&token=" + kimchi.urlSafeB64Encode(vm); > + /* > + * From python documentation > base64.urlsafe_b64encode(s) > + * substitutes - instead of + and _ instead of / in the > + * standard Base64 alphabet, BUT the result can still > + * contain = which is not safe in a URL query > component. > + * As token value is not decoded nowhere, replace = > by A > + * */ > + url += "&token=" + > kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); > url += "&kimchi=" + location.port; > url += '&encrypt=1'; > window.open(url);

On 07/28/2014 08:28 PM, Aline Manera wrote: > > On 07/28/2014 06:15 AM, Sheldon wrote: >> On 07/26/2014 05:01 AM, alinefm(a)linux.vnet.ibm.com wrote: >>> From: Aline Manera <alinefm(a)linux.vnet.ibm.com&gt; >>> >>> >From python documentation, base64.urlsafe_b64encode(s) substitutes >>> - instead >>> of + and _ instead of / in the standard Base64 alphabet, BUT the >>> result can >>> still contain = which is not safe in a URL query component. >>> As token value is not decoded nowhere, replace = by A >> >> what about other character instead of A? such as "." or "~" >> >> This is the base64 alphabet: >> 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=' >> >> "A" is in the alphabet. >> > > Ok. I will use . to replace = > >> >> or do not pad the encode string. >> some base64 variant has no pad character. >> http://en.wikipedia.org/wiki/Base64#Implementations_and_history >> > > I think we can have problem in not using the pad if you have the same > code string to different sentence > Example: > > "abcd" = "YWJjZA=" > "jdcf" = "YWJjZA" in python, I have try: In [51]: base64.urlsafe_b64encode("jdcf") Out[51]: 'amRjZg==' In [52]: base64.urlsafe_b64encode("abcd") Out[52]: 'YWJjZA==' and in UI I also try: atob("YWJjZA") "abcd" atob("YWJjZA=") [Exception... "String contains an invalid character" code: "5" nsresult: "0x80530005 (InvalidCharacterError)" location: "<unknown>"] atob("YWJjZA==") "abcd"

> > If we ignore the = in the first string we will have 2 matches to the > different values. > Not sure it can happen in real world, but I think it is safe to use . > instead of = > >> >> Then in python, it can easy strip the "=" >> In [21]: s1 = base64.urlsafe_b64encode("abcd") >> In [22]: s1.rstrip("=") >> Out[22]: 'YWJjZA' >> >> and In js add a funtion to >> $ git diff >> diff --git a/ui/js/src/kimchi.utils.js b/ui/js/src/kimchi.utils.js >> index 480b9b5..2d252a7 100644 >> --- a/ui/js/src/kimchi.utils.js >> +++ b/ui/js/src/kimchi.utils.js >> @@ -191,3 +191,8 @@ kimchi.urlSafeB64Decode = function(str) { >> kimchi.urlSafeB64Encode = function(str) { >> return btoa(str).replace(/\+/g, '-').replace(/\//g, '_'); >> } >> + >> +kimchi.padBase64 = function(str) { >> + padLen = str.length % 4; >> + return str + new Array(padLen? 4 - padLen + 1 : 0).join("="); >> +} >> >> >> Now test this method: >> in python: >> In [40]: base64.urlsafe_b64encode("abcd") >> Out[40]: 'YWJjZA==' >> >> In [41]: base64.urlsafe_b64encode("abcde") >> Out[41]: 'YWJjZGU=' >> >> In UI: >> kimchi.padBase64("YWJjZA") >> "YWJjZA==" >> >> kimchi.padBase64("YWJjZGU") >> "YWJjZGU=" >> >> >>> >>> The problem with equals sign was only identified on Spice connections. >>> noVNC can deal well with that. >>> >>> For reference: https://docs.python.org/2/library/base64.html >>> >>> Signed-off-by: Aline Manera <alinefm(a)linux.vnet.ibm.com&gt; >>> --- >>> src/kimchi/vnc.py | 9 ++++++++- >>> ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- >>> 2 files changed, 24 insertions(+), 3 deletions(-) >>> >>> diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py >>> index 9380e21..4159049 100644 >>> --- a/src/kimchi/vnc.py >>> +++ b/src/kimchi/vnc.py >>> @@ -54,7 +54,14 @@ def new_ws_proxy(): >>> >>> def add_proxy_token(name, port): >>> with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: >>> - name = base64.urlsafe_b64encode(name) >>> + """ >>> + From python documentation base64.urlsafe_b64encode(s) >>> + substitutes - instead of + and _ instead of / in the >>> + standard Base64 alphabet, BUT the result can still >>> + contain = which is not safe in a URL query component. >>> + As token value is not decoded nowhere, replace = by A >>> + """ >>> + name = base64.urlsafe_b64encode(name).replace('=', 'A') >>> f.write('%s: localhost:%s' % (name.encode('utf-8'), port)) >>> >>> >>> diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js >>> index 8f5b68f..30360c5 100644 >>> --- a/ui/js/src/kimchi.api.js >>> +++ b/ui/js/src/kimchi.api.js >>> @@ -352,7 +352,14 @@ var kimchi = { >>> }).done(function() { >>> url = 'https://' + location.hostname + ':' + >>> proxy_port; >>> url += "/console.html?url=vnc_auto.html&port=" + >>> proxy_port; >>> - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); >>> + /* >>> + * From python documentation >>> base64.urlsafe_b64encode(s) >>> + * substitutes - instead of + and _ instead of / >>> in the >>> + * standard Base64 alphabet, BUT the result can still >>> + * contain = which is not safe in a URL query >>> component. >>> + * As token value is not decoded nowhere, replace >>> = by A >>> + * */ >>> + url += "&path=?token=" + >>> kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); >>> url += "&kimchi=" + location.port; >>> url += '&encrypt=1'; >>> window.open(url); >>> @@ -377,7 +384,14 @@ var kimchi = { >>> url = 'https://' + location.hostname + ':' + >>> proxy_port; >>> url += "/console.html?url=spice.html&port=" + >>> proxy_port; >>> url += "&listen=" + location.hostname; >>> - url += "&token=" + kimchi.urlSafeB64Encode(vm); >>> + /* >>> + * From python documentation >>> base64.urlsafe_b64encode(s) >>> + * substitutes - instead of + and _ instead of / >>> in the >>> + * standard Base64 alphabet, BUT the result can still >>> + * contain = which is not safe in a URL query >>> component. >>> + * As token value is not decoded nowhere, replace >>> = by A >>> + * */ >>> + url += "&token=" + >>> kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); >>> url += "&kimchi=" + location.port; >>> url += '&encrypt=1'; >>> window.open(url); >> >> > > >

From: Aline Manera <alinefm(a)linux.vnet.ibm.com&gt; From python documentation, base64.urlsafe_b64encode(s) substitutes - instead of + and _ instead of / in the standard Base64 alphabet, BUT the result can still contain = which is not safe in a URL query component. As token value is not decoded nowhere, replace = by A The problem with equals sign was only identified on Spice connections. noVNC can deal well with that. For reference: https://docs.python.org/2/library/base64.html Signed-off-by: Aline Manera <alinefm(a)linux.vnet.ibm.com&gt; --- src/kimchi/vnc.py | 9 ++++++++- ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 9380e21..4159049 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -54,7 +54,14 @@ def new_ws_proxy(): def add_proxy_token(name, port): with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: - name = base64.urlsafe_b64encode(name) + """ + From python documentation base64.urlsafe_b64encode(s) + substitutes - instead of + and _ instead of / in the + standard Base64 alphabet, BUT the result can still + contain = which is not safe in a URL query component. + As token value is not decoded nowhere, replace = by A + """ + name = base64.urlsafe_b64encode(name).replace('=', 'A') f.write('%s: localhost:%s' % (name.encode('utf-8'), port)) diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 8f5b68f..30360c5 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -352,7 +352,14 @@ var kimchi = { }).done(function() { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); @@ -377,7 +384,14 @@ var kimchi = { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; - url += "&token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url);