[libvirt] [PATCH 14/14] qemu: command: Add support for HTTP cookies

Daniel P. Berrange berrange at redhat.com
Thu Apr 27 16:04:04 UTC 2017 

On Thu, Apr 27, 2017 at 05:46:16PM +0200, Peter Krempa wrote:
> On Thu, Apr 27, 2017 at 16:30:44 +0100, Daniel Berrange wrote:
> > On Wed, Apr 26, 2017 at 07:52:44PM +0200, Peter Krempa wrote:
> > > Format the string into the "curl" format so that it's accepted by qemu.
> > > 
> > > Partially resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140164
> 
>  [snip]
> 
> > Your example cookie is rather tame, but I wonder if we should
> > consider cookie values to be security sensitive data, and thus
> > use the secrets mechanism. If we did this would also entail fixes
> > to QEMU to let use its secrets mechanism too.
> 
> I thought briefly about the same before posting this, but I went through
> anyways ...
> 
> > 
> > I'm just wary of re-introducing a bug like CVE-2015-5160 (rbd
> > password information leak), via sensitive cookie values.
> 
> We could allow generic cookies passed on the command line
> and then perhaps add a <cookie name="ble" secure='yes'>value</cookie>
> which will be passed via the secrets infrastructure.
> 
> In that case I should probably add a statement saying that the cookies
> are passed in a insecure way.,
> 
> This way generic cookies can be passed even now and the provision for
> secure cookies can be added once qemu adds that feature.

The thing is it feels like the compelling reason to use cookies in
context of QEMU is precisely as an authorization mechanism. Even
if we document them as "insecure" people will do it anyway, and
the security flaw that results will be a libvirt CVE because we
don't provide apps an alternative todo what they need.

In addition, if the connection is using https: protocol, then I
we think we should be doing encryption for all cookies, and not
expect apps to set a secure=yes|no flag in the XML.

Last time we accepted a temporary insecure solution we waited 5 years
for QEMU to get us a fix...

So I'm inclined to NACK this feature until QEMU provides us a way
to handle cookies securely.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list