Re: [Kimchi-devel] [PATCH] bug fix: Avoid equals sign in VM console URL

On 07/29/2014 10:22 AM, Zheng Sheng ZS Zhou wrote:
Sheldon <shaohef@linux.vnet.ibm.com> wrote 2014-07-28 17:23:21:
From: Sheldon <shaohef@linux.vnet.ibm.com> To: alinefm@linux.vnet.ibm.com, Kimchi Devel <kimchi- devel@ovirt.org>, Zheng Sheng ZS Zhou/China/IBM@IBMCN Date: 2014-07-28 17:22 Subject: Re: [Kimchi-devel] [PATCH] bug fix: Avoid equals sign in VM console URL
On 07/26/2014 05:01 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera <alinefm@linux.vnet.ibm.com>
From python documentation, base64.urlsafe_b64encode(s) substitutes - instead of + and _ instead of / in the standard Base64 alphabet, BUT the result can still contain = which is not safe in a URL query component. As token value is not decoded nowhere, replace = by A also in our kimchi I have try: In [45]: base64.urlsafe_b64encode("abcd") Out[45]: 'YWJjZA==' In [41]: base64.urlsafe_b64encode("abcde") Out[41]: 'YWJjZGU='
JS is very cool, it can decode base64 without "=" padding well kimchi.urlSafeB64Decode("YWJjZA") "abcd" kimchi.urlSafeB64Decode("YWJjZGU") "abcde"
we just need in python: In [48]: base64.urlsafe_b64encode("abcd").rstrip("=") Out[48]: 'YWJjZA'
A friendly remind: We have to make sure this trick also works in IE and Chome.
Try chrom can work. But No IE environment.
The problem with equals sign was only identified on Spice connections. noVNC can deal well with that.
For reference: https://docs.python.org/2/library/base64.html
Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/vnc.py | 9 ++++++++- ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 9380e21..4159049 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -54,7 +54,14 @@ def new_ws_proxy():
def add_proxy_token(name, port): with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: - name = base64.urlsafe_b64encode(name) + """ + From python documentation base64.urlsafe_b64encode(s) + substitutes - instead of + and _ instead of / in the + standard Base64 alphabet, BUT the result can still + contain = which is not safe in a URL query component. + As token value is not decoded nowhere, replace = by A + """ + name = base64.urlsafe_b64encode(name).replace('=', 'A') f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 8f5b68f..30360c5 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -352,7 +352,14 @@ var kimchi = { }).done(function() { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&path=?token=" + kimchi.urlSafeB64Encode (vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); @@ -377,7 +384,14 @@ var kimchi = { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; - url += "&token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&token=" + kimchi.urlSafeB64Encode (vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url);
-- Thanks and best regards!
Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
participants (1)
-
Sheldon