[PATCH] bug fix: Avoid equals sign in VM console URL

From: Aline Manera <alinefm@linux.vnet.ibm.com>
From python documentation, base64.urlsafe_b64encode(s) substitutes - instead of + and _ instead of / in the standard Base64 alphabet, BUT the result can still contain = which is not safe in a URL query component. As token value is not decoded nowhere, replace = by A
The problem with equals sign was only identified on Spice connections. noVNC can deal well with that. For reference: https://docs.python.org/2/library/base64.html Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/vnc.py | 9 ++++++++- ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 9380e21..4159049 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -54,7 +54,14 @@ def new_ws_proxy(): def add_proxy_token(name, port): with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: - name = base64.urlsafe_b64encode(name) + """ + From python documentation base64.urlsafe_b64encode(s) + substitutes - instead of + and _ instead of / in the + standard Base64 alphabet, BUT the result can still + contain = which is not safe in a URL query component. + As token value is not decoded nowhere, replace = by A + """ + name = base64.urlsafe_b64encode(name).replace('=', 'A') f.write('%s: localhost:%s' % (name.encode('utf-8'), port)) diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 8f5b68f..30360c5 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -352,7 +352,14 @@ var kimchi = { }).done(function() { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); @@ -377,7 +384,14 @@ var kimchi = { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; - url += "&token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); -- 1.9.3

On 07/26/2014 05:01 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera <alinefm@linux.vnet.ibm.com>
From python documentation, base64.urlsafe_b64encode(s) substitutes - instead of + and _ instead of / in the standard Base64 alphabet, BUT the result can still contain = which is not safe in a URL query component. As token value is not decoded nowhere, replace = by A
what about other character instead of A? such as "." or "~" This is the base64 alphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=' "A" is in the alphabet. or do not pad the encode string. some base64 variant has no pad character. http://en.wikipedia.org/wiki/Base64#Implementations_and_history Then in python, it can easy strip the "=" In [21]: s1 = base64.urlsafe_b64encode("abcd") In [22]: s1.rstrip("=") Out[22]: 'YWJjZA' and In js add a funtion to $ git diff diff --git a/ui/js/src/kimchi.utils.js b/ui/js/src/kimchi.utils.js index 480b9b5..2d252a7 100644 --- a/ui/js/src/kimchi.utils.js +++ b/ui/js/src/kimchi.utils.js @@ -191,3 +191,8 @@ kimchi.urlSafeB64Decode = function(str) { kimchi.urlSafeB64Encode = function(str) { return btoa(str).replace(/\+/g, '-').replace(/\//g, '_'); } + +kimchi.padBase64 = function(str) { + padLen = str.length % 4; + return str + new Array(padLen? 4 - padLen + 1 : 0).join("="); +} Now test this method: in python: In [40]: base64.urlsafe_b64encode("abcd") Out[40]: 'YWJjZA==' In [41]: base64.urlsafe_b64encode("abcde") Out[41]: 'YWJjZGU=' In UI: kimchi.padBase64("YWJjZA") "YWJjZA==" kimchi.padBase64("YWJjZGU") "YWJjZGU="
The problem with equals sign was only identified on Spice connections. noVNC can deal well with that.
For reference: https://docs.python.org/2/library/base64.html
Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/vnc.py | 9 ++++++++- ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 9380e21..4159049 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -54,7 +54,14 @@ def new_ws_proxy():
def add_proxy_token(name, port): with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: - name = base64.urlsafe_b64encode(name) + """ + From python documentation base64.urlsafe_b64encode(s) + substitutes - instead of + and _ instead of / in the + standard Base64 alphabet, BUT the result can still + contain = which is not safe in a URL query component. + As token value is not decoded nowhere, replace = by A + """ + name = base64.urlsafe_b64encode(name).replace('=', 'A') f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 8f5b68f..30360c5 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -352,7 +352,14 @@ var kimchi = { }).done(function() { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); @@ -377,7 +384,14 @@ var kimchi = { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; - url += "&token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url);
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center

On 07/28/2014 06:15 AM, Sheldon wrote:
On 07/26/2014 05:01 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera <alinefm@linux.vnet.ibm.com>
From python documentation, base64.urlsafe_b64encode(s) substitutes - instead of + and _ instead of / in the standard Base64 alphabet, BUT the result can still contain = which is not safe in a URL query component. As token value is not decoded nowhere, replace = by A
what about other character instead of A? such as "." or "~"
This is the base64 alphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
"A" is in the alphabet.
Ok. I will use . to replace =
or do not pad the encode string. some base64 variant has no pad character. http://en.wikipedia.org/wiki/Base64#Implementations_and_history
I think we can have problem in not using the pad if you have the same code string to different sentence Example: "abcd" = "YWJjZA=" "jdcf" = "YWJjZA" If we ignore the = in the first string we will have 2 matches to the different values. Not sure it can happen in real world, but I think it is safe to use . instead of =
Then in python, it can easy strip the "=" In [21]: s1 = base64.urlsafe_b64encode("abcd") In [22]: s1.rstrip("=") Out[22]: 'YWJjZA'
and In js add a funtion to $ git diff diff --git a/ui/js/src/kimchi.utils.js b/ui/js/src/kimchi.utils.js index 480b9b5..2d252a7 100644 --- a/ui/js/src/kimchi.utils.js +++ b/ui/js/src/kimchi.utils.js @@ -191,3 +191,8 @@ kimchi.urlSafeB64Decode = function(str) { kimchi.urlSafeB64Encode = function(str) { return btoa(str).replace(/\+/g, '-').replace(/\//g, '_'); } + +kimchi.padBase64 = function(str) { + padLen = str.length % 4; + return str + new Array(padLen? 4 - padLen + 1 : 0).join("="); +}
Now test this method: in python: In [40]: base64.urlsafe_b64encode("abcd") Out[40]: 'YWJjZA=='
In [41]: base64.urlsafe_b64encode("abcde") Out[41]: 'YWJjZGU='
In UI: kimchi.padBase64("YWJjZA") "YWJjZA=="
kimchi.padBase64("YWJjZGU") "YWJjZGU="
The problem with equals sign was only identified on Spice connections. noVNC can deal well with that.
For reference: https://docs.python.org/2/library/base64.html
Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/vnc.py | 9 ++++++++- ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 9380e21..4159049 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -54,7 +54,14 @@ def new_ws_proxy():
def add_proxy_token(name, port): with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: - name = base64.urlsafe_b64encode(name) + """ + From python documentation base64.urlsafe_b64encode(s) + substitutes - instead of + and _ instead of / in the + standard Base64 alphabet, BUT the result can still + contain = which is not safe in a URL query component. + As token value is not decoded nowhere, replace = by A + """ + name = base64.urlsafe_b64encode(name).replace('=', 'A') f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 8f5b68f..30360c5 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -352,7 +352,14 @@ var kimchi = { }).done(function() { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); @@ -377,7 +384,14 @@ var kimchi = { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; - url += "&token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url);

On 07/28/2014 08:28 PM, Aline Manera wrote: > > On 07/28/2014 06:15 AM, Sheldon wrote: >> On 07/26/2014 05:01 AM, alinefm@linux.vnet.ibm.com wrote: >>> From: Aline Manera <alinefm@linux.vnet.ibm.com> >>> >>> >From python documentation, base64.urlsafe_b64encode(s) substitutes >>> - instead >>> of + and _ instead of / in the standard Base64 alphabet, BUT the >>> result can >>> still contain = which is not safe in a URL query component. >>> As token value is not decoded nowhere, replace = by A >> >> what about other character instead of A? such as "." or "~" >> >> This is the base64 alphabet: >> 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=' >> >> "A" is in the alphabet. >> > > Ok. I will use . to replace = > >> >> or do not pad the encode string. >> some base64 variant has no pad character. >> http://en.wikipedia.org/wiki/Base64#Implementations_and_history >> > > I think we can have problem in not using the pad if you have the same > code string to different sentence > Example: > > "abcd" = "YWJjZA=" > "jdcf" = "YWJjZA" in python, I have try: In [51]: base64.urlsafe_b64encode("jdcf") Out[51]: 'amRjZg==' In [52]: base64.urlsafe_b64encode("abcd") Out[52]: 'YWJjZA==' and in UI I also try: atob("YWJjZA") "abcd" atob("YWJjZA=") [Exception... "String contains an invalid character" code: "5" nsresult: "0x80530005 (InvalidCharacterError)" location: "<unknown>"] atob("YWJjZA==") "abcd" > > If we ignore the = in the first string we will have 2 matches to the > different values. > Not sure it can happen in real world, but I think it is safe to use . > instead of = > >> >> Then in python, it can easy strip the "=" >> In [21]: s1 = base64.urlsafe_b64encode("abcd") >> In [22]: s1.rstrip("=") >> Out[22]: 'YWJjZA' >> >> and In js add a funtion to >> $ git diff >> diff --git a/ui/js/src/kimchi.utils.js b/ui/js/src/kimchi.utils.js >> index 480b9b5..2d252a7 100644 >> --- a/ui/js/src/kimchi.utils.js >> +++ b/ui/js/src/kimchi.utils.js >> @@ -191,3 +191,8 @@ kimchi.urlSafeB64Decode = function(str) { >> kimchi.urlSafeB64Encode = function(str) { >> return btoa(str).replace(/\+/g, '-').replace(/\//g, '_'); >> } >> + >> +kimchi.padBase64 = function(str) { >> + padLen = str.length % 4; >> + return str + new Array(padLen? 4 - padLen + 1 : 0).join("="); >> +} >> >> >> Now test this method: >> in python: >> In [40]: base64.urlsafe_b64encode("abcd") >> Out[40]: 'YWJjZA==' >> >> In [41]: base64.urlsafe_b64encode("abcde") >> Out[41]: 'YWJjZGU=' >> >> In UI: >> kimchi.padBase64("YWJjZA") >> "YWJjZA==" >> >> kimchi.padBase64("YWJjZGU") >> "YWJjZGU=" >> >> >>> >>> The problem with equals sign was only identified on Spice connections. >>> noVNC can deal well with that. >>> >>> For reference: https://docs.python.org/2/library/base64.html >>> >>> Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> >>> --- >>> src/kimchi/vnc.py | 9 ++++++++- >>> ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- >>> 2 files changed, 24 insertions(+), 3 deletions(-) >>> >>> diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py >>> index 9380e21..4159049 100644 >>> --- a/src/kimchi/vnc.py >>> +++ b/src/kimchi/vnc.py >>> @@ -54,7 +54,14 @@ def new_ws_proxy(): >>> >>> def add_proxy_token(name, port): >>> with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: >>> - name = base64.urlsafe_b64encode(name) >>> + """ >>> + From python documentation base64.urlsafe_b64encode(s) >>> + substitutes - instead of + and _ instead of / in the >>> + standard Base64 alphabet, BUT the result can still >>> + contain = which is not safe in a URL query component. >>> + As token value is not decoded nowhere, replace = by A >>> + """ >>> + name = base64.urlsafe_b64encode(name).replace('=', 'A') >>> f.write('%s: localhost:%s' % (name.encode('utf-8'), port)) >>> >>> >>> diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js >>> index 8f5b68f..30360c5 100644 >>> --- a/ui/js/src/kimchi.api.js >>> +++ b/ui/js/src/kimchi.api.js >>> @@ -352,7 +352,14 @@ var kimchi = { >>> }).done(function() { >>> url = 'https://' + location.hostname + ':' + >>> proxy_port; >>> url += "/console.html?url=vnc_auto.html&port=" + >>> proxy_port; >>> - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); >>> + /* >>> + * From python documentation >>> base64.urlsafe_b64encode(s) >>> + * substitutes - instead of + and _ instead of / in >>> the >>> + * standard Base64 alphabet, BUT the result can still >>> + * contain = which is not safe in a URL query >>> component. >>> + * As token value is not decoded nowhere, replace = >>> by A >>> + * */ >>> + url += "&path=?token=" + >>> kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); >>> url += "&kimchi=" + location.port; >>> url += '&encrypt=1'; >>> window.open(url); >>> @@ -377,7 +384,14 @@ var kimchi = { >>> url = 'https://' + location.hostname + ':' + >>> proxy_port; >>> url += "/console.html?url=spice.html&port=" + >>> proxy_port; >>> url += "&listen=" + location.hostname; >>> - url += "&token=" + kimchi.urlSafeB64Encode(vm); >>> + /* >>> + * From python documentation >>> base64.urlsafe_b64encode(s) >>> + * substitutes - instead of + and _ instead of / in >>> the >>> + * standard Base64 alphabet, BUT the result can still >>> + * contain = which is not safe in a URL query >>> component. >>> + * As token value is not decoded nowhere, replace = >>> by A >>> + * */ >>> + url += "&token=" + >>> kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); >>> url += "&kimchi=" + location.port; >>> url += '&encrypt=1'; >>> window.open(url); >> >> > > > -- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center

On 07/28/2014 11:15 AM, Sheldon wrote: > On 07/28/2014 08:28 PM, Aline Manera wrote: >> >> On 07/28/2014 06:15 AM, Sheldon wrote: >>> On 07/26/2014 05:01 AM, alinefm@linux.vnet.ibm.com wrote: >>>> From: Aline Manera <alinefm@linux.vnet.ibm.com> >>>> >>>> >From python documentation, base64.urlsafe_b64encode(s) substitutes >>>> - instead >>>> of + and _ instead of / in the standard Base64 alphabet, BUT the >>>> result can >>>> still contain = which is not safe in a URL query component. >>>> As token value is not decoded nowhere, replace = by A >>> >>> what about other character instead of A? such as "." or "~" >>> >>> This is the base64 alphabet: >>> 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=' >>> >>> "A" is in the alphabet. >>> >> >> Ok. I will use . to replace = >> >>> >>> or do not pad the encode string. >>> some base64 variant has no pad character. >>> http://en.wikipedia.org/wiki/Base64#Implementations_and_history >>> >> >> I think we can have problem in not using the pad if you have the same >> code string to different sentence >> Example: >> >> "abcd" = "YWJjZA=" >> "jdcf" = "YWJjZA" > > in python, I have try: > > In [51]: base64.urlsafe_b64encode("jdcf") > Out[51]: 'amRjZg==' > > In [52]: base64.urlsafe_b64encode("abcd") > Out[52]: 'YWJjZA==' > > > and in UI I also try: > atob("YWJjZA") > "abcd" > atob("YWJjZA=") > [Exception... "String contains an invalid character" code: "5" > nsresult: "0x80530005 (InvalidCharacterError)" location: "<unknown>"] > atob("YWJjZA==") > "abcd" > Ok. I will remove the padding encode > >> >> If we ignore the = in the first string we will have 2 matches to the >> different values. >> Not sure it can happen in real world, but I think it is safe to use . >> instead of = >> >>> >>> Then in python, it can easy strip the "=" >>> In [21]: s1 = base64.urlsafe_b64encode("abcd") >>> In [22]: s1.rstrip("=") >>> Out[22]: 'YWJjZA' >>> >>> and In js add a funtion to >>> $ git diff >>> diff --git a/ui/js/src/kimchi.utils.js b/ui/js/src/kimchi.utils.js >>> index 480b9b5..2d252a7 100644 >>> --- a/ui/js/src/kimchi.utils.js >>> +++ b/ui/js/src/kimchi.utils.js >>> @@ -191,3 +191,8 @@ kimchi.urlSafeB64Decode = function(str) { >>> kimchi.urlSafeB64Encode = function(str) { >>> return btoa(str).replace(/\+/g, '-').replace(/\//g, '_'); >>> } >>> + >>> +kimchi.padBase64 = function(str) { >>> + padLen = str.length % 4; >>> + return str + new Array(padLen? 4 - padLen + 1 : 0).join("="); >>> +} >>> >>> >>> Now test this method: >>> in python: >>> In [40]: base64.urlsafe_b64encode("abcd") >>> Out[40]: 'YWJjZA==' >>> >>> In [41]: base64.urlsafe_b64encode("abcde") >>> Out[41]: 'YWJjZGU=' >>> >>> In UI: >>> kimchi.padBase64("YWJjZA") >>> "YWJjZA==" >>> >>> kimchi.padBase64("YWJjZGU") >>> "YWJjZGU=" >>> >>> >>>> >>>> The problem with equals sign was only identified on Spice connections. >>>> noVNC can deal well with that. >>>> >>>> For reference: https://docs.python.org/2/library/base64.html >>>> >>>> Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> >>>> --- >>>> src/kimchi/vnc.py | 9 ++++++++- >>>> ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- >>>> 2 files changed, 24 insertions(+), 3 deletions(-) >>>> >>>> diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py >>>> index 9380e21..4159049 100644 >>>> --- a/src/kimchi/vnc.py >>>> +++ b/src/kimchi/vnc.py >>>> @@ -54,7 +54,14 @@ def new_ws_proxy(): >>>> >>>> def add_proxy_token(name, port): >>>> with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: >>>> - name = base64.urlsafe_b64encode(name) >>>> + """ >>>> + From python documentation base64.urlsafe_b64encode(s) >>>> + substitutes - instead of + and _ instead of / in the >>>> + standard Base64 alphabet, BUT the result can still >>>> + contain = which is not safe in a URL query component. >>>> + As token value is not decoded nowhere, replace = by A >>>> + """ >>>> + name = base64.urlsafe_b64encode(name).replace('=', 'A') >>>> f.write('%s: localhost:%s' % (name.encode('utf-8'), port)) >>>> >>>> >>>> diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js >>>> index 8f5b68f..30360c5 100644 >>>> --- a/ui/js/src/kimchi.api.js >>>> +++ b/ui/js/src/kimchi.api.js >>>> @@ -352,7 +352,14 @@ var kimchi = { >>>> }).done(function() { >>>> url = 'https://' + location.hostname + ':' + >>>> proxy_port; >>>> url += "/console.html?url=vnc_auto.html&port=" + >>>> proxy_port; >>>> - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); >>>> + /* >>>> + * From python documentation >>>> base64.urlsafe_b64encode(s) >>>> + * substitutes - instead of + and _ instead of / >>>> in the >>>> + * standard Base64 alphabet, BUT the result can still >>>> + * contain = which is not safe in a URL query >>>> component. >>>> + * As token value is not decoded nowhere, replace >>>> = by A >>>> + * */ >>>> + url += "&path=?token=" + >>>> kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); >>>> url += "&kimchi=" + location.port; >>>> url += '&encrypt=1'; >>>> window.open(url); >>>> @@ -377,7 +384,14 @@ var kimchi = { >>>> url = 'https://' + location.hostname + ':' + >>>> proxy_port; >>>> url += "/console.html?url=spice.html&port=" + >>>> proxy_port; >>>> url += "&listen=" + location.hostname; >>>> - url += "&token=" + kimchi.urlSafeB64Encode(vm); >>>> + /* >>>> + * From python documentation >>>> base64.urlsafe_b64encode(s) >>>> + * substitutes - instead of + and _ instead of / >>>> in the >>>> + * standard Base64 alphabet, BUT the result can still >>>> + * contain = which is not safe in a URL query >>>> component. >>>> + * As token value is not decoded nowhere, replace >>>> = by A >>>> + * */ >>>> + url += "&token=" + >>>> kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); >>>> url += "&kimchi=" + location.port; >>>> url += '&encrypt=1'; >>>> window.open(url); >>> >>> >> >> >> > >

On 07/26/2014 05:01 AM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera <alinefm@linux.vnet.ibm.com>
From python documentation, base64.urlsafe_b64encode(s) substitutes - instead of + and _ instead of / in the standard Base64 alphabet, BUT the result can still contain = which is not safe in a URL query component. As token value is not decoded nowhere, replace = by A also in our kimchi I have try: In [45]: base64.urlsafe_b64encode("abcd") Out[45]: 'YWJjZA==' In [41]: base64.urlsafe_b64encode("abcde") Out[41]: 'YWJjZGU='
JS is very cool, it can decode base64 without "=" padding well kimchi.urlSafeB64Decode("YWJjZA") "abcd" kimchi.urlSafeB64Decode("YWJjZGU") "abcde" we just need in python: In [48]: base64.urlsafe_b64encode("abcd").rstrip("=") Out[48]: 'YWJjZA'
The problem with equals sign was only identified on Spice connections. noVNC can deal well with that.
For reference: https://docs.python.org/2/library/base64.html
Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/vnc.py | 9 ++++++++- ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 9380e21..4159049 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -54,7 +54,14 @@ def new_ws_proxy():
def add_proxy_token(name, port): with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: - name = base64.urlsafe_b64encode(name) + """ + From python documentation base64.urlsafe_b64encode(s) + substitutes - instead of + and _ instead of / in the + standard Base64 alphabet, BUT the result can still + contain = which is not safe in a URL query component. + As token value is not decoded nowhere, replace = by A + """ + name = base64.urlsafe_b64encode(name).replace('=', 'A') f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 8f5b68f..30360c5 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -352,7 +352,14 @@ var kimchi = { }).done(function() { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); @@ -377,7 +384,14 @@ var kimchi = { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; - url += "&token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url);
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center

Reviewed-by: Daniel Barboza <danielhb@linux.vnet.ibm.com> On 07/25/2014 06:01 PM, alinefm@linux.vnet.ibm.com wrote:
From: Aline Manera <alinefm@linux.vnet.ibm.com>
From python documentation, base64.urlsafe_b64encode(s) substitutes - instead of + and _ instead of / in the standard Base64 alphabet, BUT the result can still contain = which is not safe in a URL query component. As token value is not decoded nowhere, replace = by A
The problem with equals sign was only identified on Spice connections. noVNC can deal well with that.
For reference: https://docs.python.org/2/library/base64.html
Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/vnc.py | 9 ++++++++- ui/js/src/kimchi.api.js | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 9380e21..4159049 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -54,7 +54,14 @@ def new_ws_proxy():
def add_proxy_token(name, port): with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f: - name = base64.urlsafe_b64encode(name) + """ + From python documentation base64.urlsafe_b64encode(s) + substitutes - instead of + and _ instead of / in the + standard Base64 alphabet, BUT the result can still + contain = which is not safe in a URL query component. + As token value is not decoded nowhere, replace = by A + """ + name = base64.urlsafe_b64encode(name).replace('=', 'A') f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 8f5b68f..30360c5 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -352,7 +352,14 @@ var kimchi = { }).done(function() { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=vnc_auto.html&port=" + proxy_port; - url += "&path=?token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url); @@ -377,7 +384,14 @@ var kimchi = { url = 'https://' + location.hostname + ':' + proxy_port; url += "/console.html?url=spice.html&port=" + proxy_port; url += "&listen=" + location.hostname; - url += "&token=" + kimchi.urlSafeB64Encode(vm); + /* + * From python documentation base64.urlsafe_b64encode(s) + * substitutes - instead of + and _ instead of / in the + * standard Base64 alphabet, BUT the result can still + * contain = which is not safe in a URL query component. + * As token value is not decoded nowhere, replace = by A + * */ + url += "&token=" + kimchi.urlSafeB64Encode(vm).replace(/=/g, 'A'); url += "&kimchi=" + location.port; url += '&encrypt=1'; window.open(url);
participants (4)
-
Aline Manera
-
alinefm@linux.vnet.ibm.com
-
Daniel H Barboza
-
Sheldon