[Spice-devel] [PATCH spice-gtk 2/4] uri: learn to parse spice+tls:// form
marcandre.lureau at redhat.com
marcandre.lureau at redhat.com
Thu Feb 8 12:21:26 UTC 2018
From: Marc-André Lureau <marcandre.lureau at redhat.com>
spice:// has a weird scheme encoding, where it can accept both plain
and tls ports with URI query parameters. However, it's not very
convenient nor very common to use (who really want to mix plain & tls
channels?).
Instead, let's introduce the more readable form spice+tls://host:port
This form will not accept query string, thus mixing plain and tls is
not possible (it would be confusing to have ?port= for plain), nor
passing password and such.
Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
---
man/spice-client.pod | 29 +++++++++++++++++------------
src/spice-session.c | 23 +++++++++++++++++++----
2 files changed, 36 insertions(+), 16 deletions(-)
diff --git a/man/spice-client.pod b/man/spice-client.pod
index 7288b84..4b23c7d 100644
--- a/man/spice-client.pod
+++ b/man/spice-client.pod
@@ -12,23 +12,24 @@ can be used to tweak some SPICE-specific option.
=head1 URI
-The most basic SPICE URI which can be used is in the form
+To initiate a plain SPICE connection (the connection will be
+unencrypted) to hostname.example.com and port 5900, use the following
+URI:
+
spice://hostname.example.com:5900
-This will try to initiate a SPICE connection to hostname.example.com
-to port 5900. This connection will be unencrypted. This URI is
-equivalent to
- spice://hostname.example.com?port=5900
+In order to start a TLS connection, one would use:
-In order to start a TLS connection, one would use
- spice://hostname.example.com?tls-port=5900
+ spice+tls://hostname.example.com:5900
-Other valid URI parameters are 'username' and 'password'. Be careful that
-passing a password through a SPICE URI might cause the password to be
-visible by any local user through 'ps'.
+Note: this form is available since v0.35, you have to use the spice://
+query string with the tls-port parameter before that.
+
+=head1 spice:// URI query string
+
+spice:// URI accepts query string. Several parameters can be specified
+at once if they are separated by & or ;
-Several parameters can be specified at once if they are separated
-by & or ;
spice://hostname.example.com?port=5900;tls-port=5901
When using 'tls-port', it's recommended to not specify any non-TLS port.
@@ -39,6 +40,10 @@ then try to use the TLS port. This means a man-in-the-middle could force
the whole SPICE session to go in clear text regardless of the TLS settings
of the SPICE server.
+Other valid URI parameters are 'username' and 'password'. Be careful that
+passing a password through a SPICE URI might cause the password to be
+visible by any local user through 'ps'.
+
=head1 OPTIONS
The following options are accepted when running a SPICE client which
diff --git a/src/spice-session.c b/src/spice-session.c
index 2aabf58..7218449 100644
--- a/src/spice-session.c
+++ b/src/spice-session.c
@@ -389,6 +389,7 @@ spice_session_finalize(GObject *gobject)
#define URI_SCHEME_SPICE "spice://"
#define URI_SCHEME_SPICE_UNIX "spice+unix://"
+#define URI_SCHEME_SPICE_TLS "spice+tls://"
#define URI_QUERY_START ";?"
#define URI_QUERY_SEP ";&"
@@ -425,6 +426,7 @@ static int spice_parse_uri(SpiceSession *session, const char *original_uri)
gchar *authority = NULL;
gchar *query = NULL;
gchar *tmp = NULL;
+ bool tls_scheme = false;
g_return_val_if_fail(original_uri != NULL, -1);
@@ -438,12 +440,16 @@ static int spice_parse_uri(SpiceSession *session, const char *original_uri)
/* Break up the URI into its various parts, scheme, authority,
* path (ignored) and query
*/
- if (!g_str_has_prefix(uri, URI_SCHEME_SPICE)) {
+ if (g_str_has_prefix(uri, URI_SCHEME_SPICE)) {
+ authority = uri + strlen(URI_SCHEME_SPICE);
+ } else if (g_str_has_prefix(uri, URI_SCHEME_SPICE_TLS)) {
+ authority = uri + strlen(URI_SCHEME_SPICE_TLS);
+ tls_scheme = true;
+ } else {
g_warning("Expected a URI scheme of '%s' in URI '%s'",
URI_SCHEME_SPICE, uri);
goto fail;
}
- authority = uri + strlen(URI_SCHEME_SPICE);
tmp = strchr(authority, '@');
if (tmp) {
@@ -502,6 +508,11 @@ static int spice_parse_uri(SpiceSession *session, const char *original_uri)
}
path = NULL;
+ if (tls_scheme && query[0] != '\0') {
+ g_warning(URI_SCHEME_SPICE_TLS " scheme doesn't support query string");
+ goto fail;
+ }
+
while (query && query[0] != '\0') {
gchar key[32], value[128];
gchar **target_key;
@@ -568,8 +579,12 @@ end:
s->unix_path = g_strdup(path);
g_free(uri);
s->host = host;
- s->port = port;
- s->tls_port = tls_port;
+ if (tls_scheme) {
+ s->tls_port = port;
+ } else {
+ s->port = port;
+ s->tls_port = tls_port;
+ }
s->username = username;
s->password = password;
return 0;
--
2.16.1.73.g5832b7e9f2
More information about the Spice-devel
mailing list