mirror of
https://github.com/0xJacky/nginx-ui.git
synced 2026-04-25 08:45:58 +03:00
[GH-ISSUE #394] 终端鉴权优化 #3326
Labels
No labels
Q/A
bug
casdoor
dependencies
docker
documentation
duplicate
enhancement
help wanted
invalid
lego
platform:openwrt
platform:windows
pull-request
question
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/nginx-ui#3326
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Naochen2799 on GitHub (May 15, 2024).
Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/394
https://yourdomain.com/#/terminal
没有终端相关的鉴权,存在被滥用的风险。
注:包括demo站点!
@0xJacky commented on GitHub (May 15, 2024):
我不清楚您是如何认为我们没有做终端鉴权的
github.com/0xJacky/nginx-ui@189f623994/router/routers.go (L66-L70)后端需要通过 token 验证才可以进入 web 终端,其次,我在文档中有注明使用 login 作为启动命令,这样相当于可以多套一层 linux 的用户认证
https://nginxui.com/zh_CN/guide/config-server.html#startcmd
在未登录的情况下,访问 yourdomain.com/#/termainal 也有前端的路由守卫,跳转至 #/login
github.com/0xJacky/nginx-ui@189f623994/app/src/routes/index.ts (L307)@Naochen2799 commented on GitHub (May 15, 2024):
我没有完整的阅读文档,忽略了Linux默认的用户名和密码进行验证。
但是目前的demo网站似乎也没有添加额外的授权,可能存在风险
@0xJacky commented on GitHub (May 15, 2024):
因为 demo 为了展示,所以直接用的 bash 作为启动命令
@0xJacky commented on GitHub (May 15, 2024):
后续会增加设置,禁用 WebTerminal,以及二步验证等