-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue #5
Comments
A security token can now be set on startup with |
Just stumbled upon this issue. Thxs for the quick fix. For those who wonder how this will work, you'll just have to add that secret token to the viewing URL, e.g. > httpgd::httpgd(token="secret")
httpgd live server running at:
http://127.0.0.1:8288/live?token=secret |
I'm also wondering if there's a function to return the URL so that it is easier to program with? e.g. calling |
You can now call |
Should randomly generated tokens be used by default when no token is specified? Currently tokens are deactivated by default. |
I guess we could make
Since shiny apps have similar issue, it is okay for me that no token is the default unless user explicitly want this. |
Perhaps it's just the paranoid in me, but on a similar note would it help to randomize the @renkun-ken's point about multi-user systems drive home this point. Since it's printing the URL on the command-line when I start it anyway, I don't see any reason not to both randomize the port number and default to applying a (random) token. This makes it about as resilient to snooping as you can get at this point. (It does require a little resiliency in finding that port number and shifting if in use.) I vote that you start more-secure and allow the user to opt for less security. |
Edit: @r2evans is right, it should be secure by default. I am not sure if we should not use a default port the user can remember. What are your opinions? |
My vote (not that it's a secret): In the general single-user environment, if you make general use "easy" (either copy/paste the URL from the console or more easily incorporate In a multi-user environment, it is as secure as it can be by default (port+token) short of SSL and certificates, make them choose insecure with arguments. For ornery users who would really prefer to not type in ports and/or tokens each time, you might consider adding httpgd <-
function(host = getOption("httpgd.host", "127.0.0.1"),
port = getOption("httpgd.port", 0L),
width = 720,
height = 576,
bg = "white",
pointsize = 12,
system_fonts = list(),
user_fonts = list(),
recording = TRUE,
cors = FALSE,
token = getOption("httpgd.token", TRUE)) { In related packages, I've found it useful when the "random port" remains constant for the current R session. It's not hard to do: generate a random port and token in (I apologize for the spiral features here, but I suggest that security should be a compromise for the user, but you don't have to make it super difficult. Or perhaps you should :-) *shrug*) |
@nx10 Definitely happy to see the design of using free port and token by default. |
I think the discussion has moved on a bit from the original issue (which was addressed with security tokens and randomized ports), so I moved it to a new issue and will close this for now. |
The http server works nicely with demand that requires an external viewer to view the graphics outside R. If the user is using a personal computer and httpgd http server is started from localhost, there's no security issue on this. However, if the http server is started in a server with many users, there might be some demand that the graphics should be private to the user that creates the graphics, i.e. not visible to other users.
Currently, any user on the same server could visit the
localhost:port
(if port is known by others) and see the graphics.I'm wondering if something could be done so that there's a way to prevent other users from seeing the graphics. One way that comes to my mind is that user could supply or httpgd to generate a token before starting the http server. Only user with this token specified somewhere (e.g URL query params) could visit the graphics.
The text was updated successfully, but these errors were encountered: