Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=491694 --- Comment #12 from Alexander Boström <abo@xxxxxx> 2009-04-07 05:33:46 EDT --- Looks pretty good! My comments: * The typical use case for this is a multiuser machine where you'd usually not completely trust all users. Since Apache is configured to proxy to port 8080 then if anytermd is not running for some reason any user will be able to listen to that port and have other users' passwords sent there. So I still think using a port <1024 by default is the way to go. * In anyterm-cmd: read U ssh $U@localhost Here the user could enter any ssh client option into $U, and I'm pretty sure it's possible to do evil that way, for example by causing ~anytermd/.ssh/config and ~anytermd/.ssh/known_hosts to be replaced. I suggest something like this: while :; do echo -n "Username: " read U # Make sure it does not start with a "-" and only contains valid # username characters. if [[ "$U" =~ "^[A-Za-z0-9_]" && ! ( "$U" =~ "[^A-Za-z0-9_-]" ) ]]; then exec ssh "$U@localhost" fi echo "Bad username." done * I'd package the static content in /var/www/anyterm to make it easy for admins to customize it and cut down on proxy traffic. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review