From 3462e540eec5f469c5dec6f6c55b170917c4eeea Mon Sep 17 00:00:00 2001
From: Marius Vollmer <marius.vollmer@gmail.com>
Date: Fri, 9 Aug 2024 11:18:41 +0300
Subject: [PATCH] login: Warn before logging into multiple hosts

---
 pkg/static/login.html |  8 ++++++++
 pkg/static/login.js   | 12 ++++++++++--
 pkg/static/login.scss |  4 ++--
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/pkg/static/login.html b/pkg/static/login.html
index d91201916952..3740f0a7e490 100644
--- a/pkg/static/login.html
+++ b/pkg/static/login.html
@@ -21,6 +21,14 @@
     <span id="banner-message" class="pf-v5-c-alert__title"></span>
   </div>
 
+  <div id="multihost-warning" class="pf-v5-c-alert pf-m-info pf-m-inline dialog-error" aria-label="inline danger alert" hidden="true">
+    <svg fill="currentColor" viewBox="0 0 448 512" aria-hidden="true">
+      <path d="M224 512c35.32 0 63.97-28.65 63.97-64H160.03c0 35.35 28.65 64 63.97 64zm215.39-149.71c-19.32-20.76-55.47-51.99-55.47-154.29 0-77.7-54.48-139.9-127.94-155.16V32c0-17.67-14.32-32-31.98-32s-31.98 14.33-31.98 32v20.84C118.56 68.1 64.08 130.3 64.08 208c0 102.3-36.15 133.53-55.47 154.29-6 6.45-8.66 14.16-8.61 21.71.11 16.4 12.98 32 32.1 32h383.8c19.12 0 32-15.6 32.1-32 .05-7.55-2.61-15.27-8.61-21.71z" />
+    </svg>
+    <p id="multihost-message" class="pf-v5-c-alert__title"></p>
+    <button id="multihost-get-me-there" class="pf-v5-c-button">Go there</button>
+  </div>
+
   <span id="badge"></span>
 
   <div class="container" id="main">
diff --git a/pkg/static/login.js b/pkg/static/login.js
index ff296bc71408..386b05ed214f 100644
--- a/pkg/static/login.js
+++ b/pkg/static/login.js
@@ -355,8 +355,16 @@ import "./login.scss";
             }
         }
 
-        if (cur_machine && !environment.page.allow_multihost)
-            redirect_to_current_machine();
+        if (cur_machine) {
+            if (!environment.page.allow_multihost)
+                redirect_to_current_machine();
+            else {
+                id("multihost-message").textContent = format(_("You are already connected to '$0' in this browser session. Connecting to other hosts will allow them to execute arbitrary code on each other. Please be careful."),
+                                                             cur_machine == "." ? "localhost" : cur_machine);
+                id("multihost-get-me-there").addEventListener("click", redirect_to_current_machine);
+                show('#multihost-warning');
+            }
+        }
     }
 
     function boot() {
diff --git a/pkg/static/login.scss b/pkg/static/login.scss
index 33e664562fa9..b1fddb29d11f 100644
--- a/pkg/static/login.scss
+++ b/pkg/static/login.scss
@@ -354,14 +354,14 @@ label.checkbox {
   display: none;
 }
 
-.login-pf #banner {
+.login-pf #banner, .login-pf #multihost-warning {
   margin-block: 1rem 0.5rem;
   margin-inline: 0;
   grid-area: banner;
   inline-size: 100%;
 }
 
-#banner-message {
+#banner-message, #multihost-message  {
   white-space: pre-wrap;
   max-block-size: 12em;
   overflow: auto;