Comment 79 for bug 1409142
Revision history for this message
| Dave McCowan (dave-mccowan) wrote Re: Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) | #79 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Looking more, I don't think the ssl_only option is the best choice. Customers may not have set this, but still use HTTPS. I implemented @alaski's idea in #49, and decided to ignore my concerns in #51. Patches are attached. Changing the RPC API at this point seems overly complex for a value that can be gleaned from the config file. These patches will work in all cases, except for when someone configures both NoVNCProxy and Spice, but only one of them with HTTPS. (The insecure one will fail to validate.)