[Engine-patches] Change in ovirt-engine[master]: engine: Integrate noVNC support

Tue, 28 May 2013 02:37:30 -0700 

Alon Bar-Lev has posted comments on this change.

Change subject: engine: Integrate noVNC support
......................................................................


Patch Set 7: (1 inline comment)

....................................................
File backend/manager/modules/root/src/main/webapp/ovirt-engine-novnc-main.html
Line 128:                            'shared':       
WebUtil.getQueryVar('shared', true),
Line 129:                            'view_only':    
WebUtil.getQueryVar('view_only', false),
Line 130:                            'updateState':  updateState,
Line 131:                            'onPasswordRequired':  passwordRequired});
Line 132:                            rfb.connect(host, port, ticket, path);
password as vnc ticket?

Right, and because of this we have a security issue now...

As if we do not enforce the (vnc-ticket, host, port) we have an issue of 
someone holding a ticket and re-use it for a very long time with different vnc 
tickets.

I thought that the proxy side will extract the vnc-ticket and create the vnc 
session, so that we can use the whole ticket only one time.

Now we have to have some expiration mechanism of the ticket as well...

Anyway, the vnc-ticket is not used in the context of the proxy, there is no 
reason to hold it within the ticket.
Line 133:             }catch(e) {alert(e);}
Line 134:         }
Line 135: 
Line 136:         if (window.addEventListener) {


--
To view, visit http://gerrit.ovirt.org/13931
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I44e9870b88537360a1886e89c08f18865eae2ef0
Gerrit-PatchSet: 7
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Frank Kobzik <fkob...@redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Barak Azulay <bazu...@redhat.com>
Gerrit-Reviewer: Frank Kobzik <fkob...@redhat.com>
Gerrit-Reviewer: Itamar Heim <ih...@redhat.com>
Gerrit-Reviewer: Martin Beták <mbe...@redhat.com>
Gerrit-Reviewer: Michal Skrivanek <michal.skriva...@redhat.com>
Gerrit-Reviewer: Sandro Bonazzola <sbona...@redhat.com>
Gerrit-Reviewer: Tomas Jelinek <tjeli...@redhat.com>
Gerrit-Reviewer: Vojtech Szocs <vsz...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to