Re: [Qemu-devel] [PATCH] Bind VNC to localhost unless otherwise specified to increase security

[Attila-Mihaly Balazs]

Sorry, forgot to CC Gerd in my previous email.

On Mon, Jun 6, 2016 at 6:39 PM, Attila-Mihaly Balazs <address@hidden> wrote:
> Signed-off-by: Attila-Mihaly Balazs
> ---
>  qemu-options.hx | 7 ++++++-
>  ui/vnc.c        | 2 ++
>  2 files changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/qemu-options.hx b/qemu-options.hx
> index 9f33361..80ade0d 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -1245,7 +1245,12 @@ syntax for the @var{display} is
>
>  TCP connections will only be allowed from @var{host} on display @var{d}.
>  By convention the TCP port is address@hidden Optionally, @var{host} can
> -be omitted in which case the server will accept connections from any host.
> +be omitted in which case the server will only accept connections from
> +localhost. To accept connections on a given network interface use the
> +syntax @var{interface IP}:@var{d} (for example @var{192.168.1.2}:@var{1}
> +or @var{[::1]}:@var{1}). To listen on all network interfaces specify
> address@hidden:@var{d}. Warning! Please make sure that you have authentication
> +set up before exposing VNC to the internet!
>
>  @item unix:@var{path}
>
> diff --git a/ui/vnc.c b/ui/vnc.c
> index c862fdc..b4597e4 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -3576,6 +3576,8 @@ void vnc_display_open(const char *id, Error **errp)
>              inet = saddr->u.inet.data = g_new0(InetSocketAddress, 1);
>              if (vnc[0] == '[' && vnc[hlen - 1] == ']') {
>                  inet->host = g_strndup(vnc + 1, hlen - 2);
> +            } else if (hlen == 0) {
> +                inet->host = g_strdup("localhost");
>              } else {
>                  inet->host = g_strndup(vnc, hlen);
>              }
> --
> 2.7.4