Comment 20 for bug 1927677
Revision history for this message
| melanie witt (melwitt) wrote Re: novnc allowing open direction which could potentially be used for phishing | #20 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
The fix backports have been proposed but are not yet merged on stable/victoria, stable/ussuri, and stable/train.
This issue is considered to be of "moderate" severity and is a result of a publicly reported behavior in the python standard library [1] and the http.server documentation has a warning on it that states, "Warning http.server is not recommended for production. It only implements basic security checks." [2].
Our dependency however, the websockify server [3], is based upon http.server and AFAIK websockify isn't characterized as only for dev or non-production use.
There is currently a pull request proposed to fix [1] and it is currently under review [4].
Based on this, I tend to think to treat it as hardening, but of course I defer to the expert opinion of the VMT.
[1] https:/
[2] https:/
[3] https:/
[4] https:/