[Spice-devel] [PATCH spice-gtk 2/4] uri: learn to parse spice+tls:// form

marcandre.lureau at redhat.com marcandre.lureau at redhat.com
Thu Feb 8 12:21:26 UTC 2018 

From: Marc-André Lureau <marcandre.lureau at redhat.com>

spice:// has a weird scheme encoding, where it can accept both plain
and tls ports with URI query parameters. However, it's not very
convenient nor very common to use (who really want to mix plain & tls
channels?).

Instead, let's introduce the more readable form spice+tls://host:port

This form will not accept query string, thus mixing plain and tls is
not possible (it would be confusing to have ?port= for plain), nor
passing password and such.

Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
---
 man/spice-client.pod | 29 +++++++++++++++++------------
 src/spice-session.c  | 23 +++++++++++++++++++----
 2 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/man/spice-client.pod b/man/spice-client.pod
index 7288b84..4b23c7d 100644
--- a/man/spice-client.pod
+++ b/man/spice-client.pod
@@ -12,23 +12,24 @@ can be used to tweak some SPICE-specific option.
 
 =head1 URI
 
-The most basic SPICE URI which can be used is in the form
+To initiate a plain SPICE connection (the connection will be
+unencrypted) to hostname.example.com and port 5900, use the following
+URI:
+
   spice://hostname.example.com:5900
 
-This will try to initiate a SPICE connection to hostname.example.com
-to port 5900. This connection will be unencrypted. This URI is
-equivalent to
-  spice://hostname.example.com?port=5900
+In order to start a TLS connection, one would use:
 
-In order to start a TLS connection, one would use
-  spice://hostname.example.com?tls-port=5900
+  spice+tls://hostname.example.com:5900
 
-Other valid URI parameters are 'username' and 'password'. Be careful that
-passing a password through a SPICE URI might cause the password to be
-visible by any local user through 'ps'.
+Note: this form is available since v0.35, you have to use the spice://
+query string with the tls-port parameter before that.
+
+=head1 spice:// URI query string
+
+spice:// URI accepts query string. Several parameters can be specified
+at once if they are separated by & or ;
 
-Several parameters can be specified at once if they are separated
-by & or ;
   spice://hostname.example.com?port=5900;tls-port=5901
 
 When using 'tls-port', it's recommended to not specify any non-TLS port.
@@ -39,6 +40,10 @@ then try to use the TLS port. This means a man-in-the-middle could force
 the whole SPICE session to go in clear text regardless of the TLS settings
 of the SPICE server.
 
+Other valid URI parameters are 'username' and 'password'. Be careful that
+passing a password through a SPICE URI might cause the password to be
+visible by any local user through 'ps'.
+
 =head1 OPTIONS
 
 The following options are accepted when running a SPICE client which
diff --git a/src/spice-session.c b/src/spice-session.c
index 2aabf58..7218449 100644
--- a/src/spice-session.c
+++ b/src/spice-session.c
@@ -389,6 +389,7 @@ spice_session_finalize(GObject *gobject)
 
 #define URI_SCHEME_SPICE "spice://"
 #define URI_SCHEME_SPICE_UNIX "spice+unix://"
+#define URI_SCHEME_SPICE_TLS "spice+tls://"
 #define URI_QUERY_START ";?"
 #define URI_QUERY_SEP   ";&"
 
@@ -425,6 +426,7 @@ static int spice_parse_uri(SpiceSession *session, const char *original_uri)
     gchar *authority = NULL;
     gchar *query = NULL;
     gchar *tmp = NULL;
+    bool tls_scheme = false;
 
     g_return_val_if_fail(original_uri != NULL, -1);
 
@@ -438,12 +440,16 @@ static int spice_parse_uri(SpiceSession *session, const char *original_uri)
     /* Break up the URI into its various parts, scheme, authority,
      * path (ignored) and query
      */
-    if (!g_str_has_prefix(uri, URI_SCHEME_SPICE)) {
+    if (g_str_has_prefix(uri, URI_SCHEME_SPICE)) {
+        authority = uri + strlen(URI_SCHEME_SPICE);
+    } else if (g_str_has_prefix(uri, URI_SCHEME_SPICE_TLS)) {
+        authority = uri + strlen(URI_SCHEME_SPICE_TLS);
+        tls_scheme = true;
+    } else {
         g_warning("Expected a URI scheme of '%s' in URI '%s'",
                   URI_SCHEME_SPICE, uri);
         goto fail;
     }
-    authority = uri + strlen(URI_SCHEME_SPICE);
 
     tmp = strchr(authority, '@');
     if (tmp) {
@@ -502,6 +508,11 @@ static int spice_parse_uri(SpiceSession *session, const char *original_uri)
     }
     path = NULL;
 
+    if (tls_scheme && query[0] != '\0') {
+        g_warning(URI_SCHEME_SPICE_TLS " scheme doesn't support query string");
+        goto fail;
+    }
+
     while (query && query[0] != '\0') {
         gchar key[32], value[128];
         gchar **target_key;
@@ -568,8 +579,12 @@ end:
     s->unix_path = g_strdup(path);
     g_free(uri);
     s->host = host;
-    s->port = port;
-    s->tls_port = tls_port;
+    if (tls_scheme) {
+        s->tls_port = port;
+    } else {
+        s->port = port;
+        s->tls_port = tls_port;
+    }
     s->username = username;
     s->password = password;
     return 0;
-- 
2.16.1.73.g5832b7e9f2

More information about the Spice-devel mailing list