[libvirt] [PATCH 14/14] qemu: command: Add support for HTTP cookies
Peter Krempa
pkrempa at redhat.com
Thu Apr 27 15:46:16 UTC 2017
On Thu, Apr 27, 2017 at 16:30:44 +0100, Daniel Berrange wrote:
> On Wed, Apr 26, 2017 at 07:52:44PM +0200, Peter Krempa wrote:
> > Format the string into the "curl" format so that it's accepted by qemu.
> >
> > Partially resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140164
[snip]
> Your example cookie is rather tame, but I wonder if we should
> consider cookie values to be security sensitive data, and thus
> use the secrets mechanism. If we did this would also entail fixes
> to QEMU to let use its secrets mechanism too.
I thought briefly about the same before posting this, but I went through
anyways ...
>
> I'm just wary of re-introducing a bug like CVE-2015-5160 (rbd
> password information leak), via sensitive cookie values.
We could allow generic cookies passed on the command line
and then perhaps add a <cookie name="ble" secure='yes'>value</cookie>
which will be passed via the secrets infrastructure.
In that case I should probably add a statement saying that the cookies
are passed in a insecure way.,
This way generic cookies can be passed even now and the provision for
secure cookies can be added once qemu adds that feature.
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170427/dcb29a6e/attachment-0001.sig>
More information about the libvir-list
mailing list