[libvirt] [PATCH 14/14] qemu: command: Add support for HTTP cookies

Daniel P. Berrange berrange at redhat.com
Thu Apr 27 15:30:44 UTC 2017 

On Wed, Apr 26, 2017 at 07:52:44PM +0200, Peter Krempa wrote:
> Format the string into the "curl" format so that it's accepted by qemu.
> 
> Partially resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140164

[snip]

> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.args
> new file mode 100644
> index 000000000..9900866cc
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.args
> @@ -0,0 +1,32 @@
> +LC_ALL=C \
> +PATH=/bin \
> +HOME=/home/test \
> +USER=test \
> +LOGNAME=test \
> +QEMU_AUDIO_DRV=none \
> +/usr/bin/qemu-system-i686 \
> +-name QEMUGuest1 \
> +-S \
> +-M pc \
> +-m 214 \
> +-smp 1,sockets=1,cores=1,threads=1 \
> +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
> +-nographic \
> +-nodefaults \
> +-monitor unix:/tmp/lib/domain--1-QEMUGuest1/monitor.sock,server,nowait \
> +-no-acpi \
> +-boot c \
> +-usb \
> +-drive file=http://example.org:80/test.img,format=raw,if=none,\
> +id=drive-virtio-disk0 \
> +-device virtio-blk-pci,bus=pci.0,addr=0x3,drive=drive-virtio-disk0,\
> +id=virtio-disk0 \
> +-drive file=https://example.org:443/test2.img,format=raw,if=none,\
> +id=drive-virtio-disk1 \
> +-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk1,\
> +id=virtio-disk1 \
> +-drive 'file=http://example.org:1234/test3.img,\
> +file.cookie=test=testcookievalue; test2=blurb,format=raw,if=none,\

Your example cookie is rather tame, but I wonder if we should
consider cookie values to be security sensitive data, and thus
use the secrets mechanism. If we did this would also entail fixes
to QEMU to let use its secrets mechanism too.

I'm just wary of re-introducing a bug like CVE-2015-5160 (rbd
password information leak), via sensitive cookie values.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list