[et-mgmt-tools] [PATCH 5/5] "Launch virt-viewer" (new) browser plugin.
Richard W.M. Jones
rjones at redhat.com
Thu Aug 14 16:07:09 UTC 2008
On Thu, Aug 14, 2008 at 03:15:19PM +0100, Daniel P. Berrange wrote:
> Am I understanding this correctly, that it'll launch the virt-viewer
> program immediately upon loading the HTML page containing the plugin
> <embed> snippet ? If so that's a huge security problem - you are
> spawning a program which is allowed to connect to any host on the
> internet. It is also a denial-of-service - malicous javascript
> could write a page containing thousands of <embed> snippets which
> would spawn thousands of processes.
>
> I'd rather expect the plugin to have a small embedded area in the
> HTML page showing the details of what host will be connected to,
> what port, and then a button which has to be explicitly pressed
> to launch the external viewer.
Yes ... The trouble is if we do this, we end up needing to embed Gtk
widgets in the browser, which takes us back to square one.
I'll raise this on #virt, see if we can talk through the issues again.
Rich.
--
Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top
More information about the et-mgmt-tools
mailing list