Backport fix to disable old-form of console access URL in commit fb94b72213

2013-04-12 10:44:36 -07:00 · 2013-04-12 10:44:36 -07:00 · 4e538710ad
parent fa98e51046
commit 4e538710ad
2 changed files with 37 additions and 11 deletions
--- a/console-proxy/src/com/cloud/consoleproxy/ConsoleProxy.java
+++ b/console-proxy/src/com/cloud/consoleproxy/ConsoleProxy.java
@ -425,23 +425,32 @@ public class ConsoleProxy {
        synchronized (connectionMap) {
            ConsoleProxyClient viewer = connectionMap.get(clientKey);
            if (viewer == null) {
+            	authenticationExternally(param);
                viewer = new ConsoleProxyVncClient();
                viewer.initClient(param);
                
                connectionMap.put(clientKey, viewer);
                s_logger.info("Added viewer object " + viewer);
                reportLoadChange = true;
-            } else if (!viewer.isFrontEndAlive()) {
-                s_logger.info("The rfb thread died, reinitializing the viewer " + viewer);
-                viewer.initClient(param);
-            } else if (!param.getClientHostPassword().equals(viewer.getClientHostPassword())) {
-                s_logger.warn("Bad sid detected(VNC port may be reused). sid in session: " 
-                    + viewer.getClientHostPassword() + ", sid in request: " + param.getClientHostPassword());
-                viewer.initClient(param);
-            } else {
-                if(ajaxSession == null || ajaxSession.isEmpty())
+            }  else {
+				// protected against malicous attack by modifying URL content
+				if(ajaxSession != null) {
+					long ajaxSessionIdFromUrl = Long.parseLong(ajaxSession);
+					if(ajaxSessionIdFromUrl != viewer.getAjaxSessionId())
+						throw new AuthenticationException ("Cannot use the existing viewer " +
+								viewer + ": modified AJAX session id");
+				}
+				
+				if(param.getClientHostPassword() == null || param.getClientHostPassword().isEmpty() || !param.getClientHostPassword().equals(viewer.getClientHostPassword()))
+					throw new AuthenticationException ("Cannot use the existing viewer " +
+							viewer + ": bad sid");
+				
+				if(!viewer.isFrontEndAlive()) {
                    authenticationExternally(param);
-            }
+					viewer.initClient(param);
+					reportLoadChange = true;
+				}
+			}
            
            if(reportLoadChange) {
                ConsoleProxyClientStatsCollector statsCollector = getStatsCollector();
--- a/console-proxy/src/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java
+++ b/console-proxy/src/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java
@ -49,8 +49,11 @@ public class ConsoleProxyHttpHandlerHelper {
        if(map.get("token") != null) {
            ConsoleProxyPasswordBasedEncryptor encryptor = new ConsoleProxyPasswordBasedEncryptor(
                ConsoleProxy.getEncryptorPassword());
-            
+    
            ConsoleProxyClientParam param = encryptor.decryptObject(ConsoleProxyClientParam.class, map.get("token"));
+
+            // make sure we get information from token only
+            guardUserInput(map);
            if(param != null) {
                if(param.getClientHostAddress() != null)
                    map.put("host", param.getClientHostAddress());
@ -67,8 +70,22 @@ public class ConsoleProxyHttpHandlerHelper {
                if(param.getTicket() != null)
                    map.put("ticket", param.getTicket());
            }
+        } else {
+        	// we no longer accept information from parameter other than token 
+        	guardUserInput(map);
        }
        
        return map;
    }
+    
+    private static void guardUserInput(Map<String, String> map) {
+    	map.remove("host");
+    	map.remove("port");
+    	map.remove("tag");
+    	map.remove("sid");
+    	map.remove("consoleurl");
+    	map.remove("sessionref");
+       	map.remove("ticket");
+    }
 }
+