[Bug 491694] Review Request: Anyterm - Web based terminal emulator

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=491694





--- Comment #12 from Alexander Boström <abo@xxxxxx>  2009-04-07 05:33:46 EDT ---
Looks pretty good!

My comments:

* The typical use case for this is a multiuser machine where you'd usually not
completely trust all users. Since Apache is configured to proxy to port 8080
then if anytermd is not running for some reason any user will be able to listen
to that port and have other users' passwords sent there. So I still think using
a port <1024 by default is the way to go.

* In anyterm-cmd:

  read U
  ssh $U@localhost

Here the user could enter any ssh client option into $U, and I'm pretty sure
it's possible to do evil that way, for example by causing ~anytermd/.ssh/config
and ~anytermd/.ssh/known_hosts to be replaced.

I suggest something like this:

  while :; do
    echo -n "Username: "
    read U
    # Make sure it does not start with a "-" and only contains valid
    # username characters.
    if [[ "$U" =~ "^[A-Za-z0-9_]" && ! ( "$U" =~ "[^A-Za-z0-9_-]" ) ]]; then
      exec ssh "$U@localhost"
    fi
    echo "Bad username."
  done

* I'd package the static content in /var/www/anyterm to make it easy for admins
to customize it and cut down on proxy traffic.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

_______________________________________________
Fedora-package-review mailing list
Fedora-package-review@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-package-review

[Index of Archives]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]