[Spice-devel] [PATCH v2] Report invalid password as a special auth error

Christophe Fergeau cfergeau at redhat.com
Fri May 29 05:07:36 PDT 2015 

Hey,

On Wed, May 27, 2015 at 04:05:16PM +0200, Cédric Bosdonnat wrote:
> Provide a special authentication error message for too long passwords.
> Also check for too long passwords before sending them over the wire.
> ---
> 
>  Diff to v1:
>    * Added a check in spice_channel_send_spice_ticket
>    * moved spice_channel_failed_authentication before spice_channel_send_spice_ticket
>      in order to reuse it there.
> 
>  gtk/spice-channel.c | 64 +++++++++++++++++++++++++++++++++--------------------
>  gtk/spice-client.h  |  2 ++
>  2 files changed, 42 insertions(+), 24 deletions(-)
> 
> diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
> index 4e7d8b7..c4a18f5 100644
> --- a/gtk/spice-channel.c
> +++ b/gtk/spice-channel.c
> @@ -1010,6 +1010,33 @@ static int spice_channel_read(SpiceChannel *channel, void *data, size_t length)
>  }
>  
>  /* coroutine context */
> +static void spice_channel_failed_authentication(SpiceChannel *channel,
> +                                                gboolean invalidPassword)
> +{
> +    SpiceChannelPrivate *c = channel->priv;
> +
> +    if (c->auth_needs_username_and_password)
> +        g_set_error_literal(&c->error,
> +                            SPICE_CLIENT_ERROR,
> +                            SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME,
> +                            _("Authentication failed: password and username are required"));
> +    else if (invalidPassword)
> +        g_set_error_literal(&c->error,
> +                            SPICE_CLIENT_ERROR,
> +                            SPICE_CLIENT_ERROR_AUTH_INVALID_PASSWORD,
> +                            _("Authentication failed: password is too long"));
> +    else
> +        g_set_error_literal(&c->error,
> +                            SPICE_CLIENT_ERROR,
> +                            SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD,
> +                            _("Authentication failed: password is required"));
> +
> +    c->event = SPICE_CHANNEL_ERROR_AUTH;
> +
> +    c->has_error = TRUE; /* force disconnect */
> +}
> +
> +/* coroutine context */
>  static void spice_channel_send_spice_ticket(SpiceChannel *channel)
>  {
>      SpiceChannelPrivate *c = channel->priv;
> @@ -1039,11 +1066,17 @@ static void spice_channel_send_spice_ticket(SpiceChannel *channel)
>      g_object_get(c->session, "password", &password, NULL);
>      if (password == NULL)
>          password = g_strdup("");
> +    if (strlen(password) > SPICE_MAX_PASSWORD_LENGTH) {
> +        spice_channel_failed_authentication(channel, TRUE);
> +        goto cleanup;
> +    }


My feeling is that spice_channel_send_spice_ticket() should return
TRUE/FALSE to indicate whether it failed or not, so that
spice_channel_recv_link_msg() can then decide to jump to its error:
label.

Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20150529/d95568bf/attachment.sig>

More information about the Spice-devel mailing list