The spice controller socket name used to be hardcoded to
/tmp/SpiceController-%lu.uds and generated using snprintf. A 50 bytes
buffer was enough for that, but this was changed in commit 79fffbf95
because this was predictable and allowed other users on the system
to sniff the browser/client communication. spicec now uses the value
of the environment SPICE_XPI_SOCKET as the name of the socket to use.
However, since the name that is used is no longer generated by spicec,
no assumption can be made about its size. Currently, the socket is
created inside the user home directory, which means that if the
user name is too long, spicec will not be able to read the controller
socket name.
This commit directly uses the string from getenv as he name of the
controller socket (on Linux) instead of limiting its size to 50 characters,
which should fix this issue.
This fixes rhbz #804561
If specified, use SPICE_FOREIGN_MENU_SOCKET environment variable over
snprintf(pipe_name, PIPE_NAME_MAX_LEN, PIPE_NAME,
Platform::get_process_id()); since it's impossible to guess the client
pid when spice-xpi launches the client as a grand-child (via script
etc).
This is also more aligned with the way we handle SPICE_XPI_SOCKET
location.
The addition of smartcard control to the controller doesn't handle
the case when smartcard support is disabled at compile time. When
this is the case, this causes compile errors.
When using config.h, it must be the very first include in all source
files since it contains #define that may change the compilation process
(eg libc structure layout changes when it's used to enable large file
support on 32 bit x86 archs). This commit adds it at the beginning
of all .c and .cpp files
We are making all text send over the controller socket utf-8, rather then
having somethings as 8 bit (hostname) and others (title, menu) unicode16,
this patch completes this change by converting the menu handling.
The activex browser plugin is sending unicode16 text, where as the
xpi one is sending utf8 text. After discussing this on irc we've decided
that utf8 is what we want to use. So the client (this patch), and the
activex will be changed to expect resp. send utf8 text as the title.
The socket name used to communicate between the xpi browser plugin and the
spicec was predictable allowing a non priviliged user on the same system
to create the socket before spicec does and thus intercept the messages from
the xpi to the client, including login credentials. This security vulnerability
has been registred with mitre as CVE-2010-2792:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2792
This patch changes the controller code to instead read the socket name
from an environment variable which gets set by the xpi before executing
the spicec, making the socketname private between the client and the xpi.
Note that this means that the controller will only work with an xpi which
has matching changes, the changes are present in the latest version of the
xpi as available as update for / with RHEL-5.5 and RHEL-6.0 .
Spice client controller enables external control (e.g., by XPI or ActiveX) of
the client functionality.
The controller protocol enables setting parameters (host, port, sport, pwd,
secure channels, disabled channels, title, menus, hotkeys etc.), connecting
the server, showing and hiding the client etc.
The controller is based on the cross-platform named pipe.
