On Thu, Dec 16, 2021 at 10:48:53AM +0000, Daniel P. Berrangé wrote:
The VNC password authentication scheme is quite horrendous in that it takes the user password and directly uses it as a DES case. DES is a byte 8 keyed cipher, so the VNC password can never be more than 8 characters long. Anything over that length will be silently dropped.
We should validate this length restriction when accepting user XML configs and report an error. For the global VNC password we don't really want to break daemon startup by reporting an error, but logging a warning is worthwhile.
https://bugzilla.redhat.com/show_bug.cgi?id=1506689 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/qemu/qemu_conf.c | 6 ++++++ src/qemu/qemu_validate.c | 8 ++++++++ 2 files changed, 14 insertions(+)
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>