directory listing of the service No-VNC

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Is there further information on the deployment setup here? Is this just novncproxy running on a host, or behind a different webserver, or...?

The deployment was in a dev environment (in a LAN), I had installed Openstack (all in one) in ubuntu with the devstack script.

Thanks for reporting this.

It's clearly an unintended information disclosure issue. The bug in in websockify and it'd trivial to fix.

Can someone that has been around longer help me understand how we work with websockify to fix this in a sensitive way?

Tony, I'm adding Solly Ross to the bug as he works on websockify and can help on that front.

It appears that there's a bug in the Websockify source code that causes the `file_only` parameter not to be properly set when passed to the `__init__`. Like you mention, the fix should be trivial. It should be fairly easy to backport the fix to existing noVNC packages as well. How would you like to proceed?

Additionally, in the mean time, adding an index.html file (e.g. `ln -s vnc_auto.html index.html`) will prevent directory listing (this is similar to what the Fedora noVNC package does: http://pkgs.fedoraproject.org/cgit/novnc.git/tree/novnc.spec#n29).

Since the directory listing only shows packaged files and does not contains any private files I suggest a class D type of bug (http://security.openstack.org/vmt-process.html#incident-report-taxonomy) and propose to open this bug by the end of the week if no one complains.

@sross-7 If you're comfortable doing so can you to take the fix (I'll attach my version to be sure we're talking about the same fix) and cut a websockify v0.6.1 release?

A quick grep of the master branches shows:
$ grep websockify */*/requirements.txt
openstack/ironic/requirements.txt:websockify>=0.6.0,<0.7
openstack/nova/requirements.txt:websockify>=0.6.0,<0.7
stackforge/nova-solver-scheduler/requirements.txt:websockify>=0.5.1,<0.6

So cutting v0.6.1 would leave nova-solver-scheduler vulnerable but AFAICT it doesn't actually use websockify :/

Do we want to add a symlink workaround? Do we have a good way to work with packagers to do that?

My version of the trivial patch for comparision

@o-tony:
Your patch looks good.
Regarding the symlink workaround -- it's not particularly necessary if we cut a new release and distros actually package it (since either way involves distros updating their packaging). We may want to offer it as a workaround in case anyone decides they don't want to do a minor release upgrade (for some reason).

At what point in time is ok for me to push the patch and cut the release (when is the embargo lifted)?

Of course I defer to the VMT but given this is a 'class D' I think we co-ordinate lifting the embargo with cutting 0.6.1 If we could do that on Monday that would be awesome!

@fungi, @tristan-cacqueray: Does that sounds reasonable?

This sounds good to me Tony. Note that we better open this bug before pushing the patch (to avoid 404 on bug number if it's referenced.)

The OSSA task is now removed, feel free to open this at your convenience.

Unless someone says 'stop' I'll mark this public at 2015-05-12 00:00 UTC and @sross-7 you can cut and release at about that same time.

Patches for websockify are now public and 0.6.1 is uploading to pypi.
I've changed this to public.
Thanks @sross-7!

Marking this as committed as the wesockify code has been out there for a while and Liberty has 0.6.1 as the minimum version after https://review.openstack.org/#/c/211062/ and https://review.openstack.org/#/c/213896/ merged.