[libvirt] [PATCH 14/14] qemu: command: Add support for HTTP cookies
Peter Krempa
pkrempa at redhat.com
Thu Apr 27 15:58:03 UTC 2017
On Thu, Apr 27, 2017 at 17:46:16 +0200, Peter Krempa wrote:
> On Thu, Apr 27, 2017 at 16:30:44 +0100, Daniel Berrange wrote:
> > On Wed, Apr 26, 2017 at 07:52:44PM +0200, Peter Krempa wrote:
> > > Format the string into the "curl" format so that it's accepted by qemu.
> > >
> > > Partially resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140164
>
> [snip]
>
> > Your example cookie is rather tame, but I wonder if we should
> > consider cookie values to be security sensitive data, and thus
> > use the secrets mechanism. If we did this would also entail fixes
> > to QEMU to let use its secrets mechanism too.
>
> I thought briefly about the same before posting this, but I went through
> anyways ...
>
> >
> > I'm just wary of re-introducing a bug like CVE-2015-5160 (rbd
> > password information leak), via sensitive cookie values.
>
> We could allow generic cookies passed on the command line
> and then perhaps add a <cookie name="ble" secure='yes'>value</cookie>
> which will be passed via the secrets infrastructure.
Or better, treat them as secure by default and make users add
secure='no' explicitly so that they are aware of the way we pass it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170427/efd12e9a/attachment-0001.sig>
More information about the libvir-list
mailing list