IF I load the RFB package from lukas's site[1] (Pharo 1.4, recent enough
VM, linux) and set the RFB server's fullPassword like this:
MyObject>>startRFB
RFBServer current setFullPassword: self rfbPassword
MyObject>>rfbPassword
^'1234'
After that send the source of rfbPassword shows '1234' but the bytecodes
show that it is '' and the apparently empty string is 8 bytes long with
each character being (Character value:0)
#setFullPassword: uses #atAllPut: to set the value of #rfbPassword to
'Character value: 0'.
My concerns are these:
1. Using the current implementation its impossible to stop and restart
the RFB server with a default password programmatically.
2. The implementation is not idempotent when starting/stopping.
3. I don't understand the security consequences of removing the part
where the password sent to #encryptPassword: is set to NULL characters.
Is wiping the values of the #rfbPassword method necessary for security
reasons? I assume that setting the RFB server to only accept
connections from localhost and using X forwarding would take care of
most of the risk of having a string literal in the image.
Or- should I be accessing a default RFB password from another source
than a class side method in the image?
Is there a standard practice for starting and stopping the RFB server in
Pharo 1.4 where the RFB server is up and down during the time the image
is up?
Thanks for any advice
Paul
1 - The change was from this package: RFB-MiguelCoba.26.mcz from this
repo: http://source.lukas-renggli.ch/unsorted
