Re: [libvirt] [PATCH 14/14] qemu: command: Add support for HTTP cookies
On Wed, Apr 26, 2017 at 07:52:44PM +0200, Peter Krempa wrote:
Format the string into the "curl" format so that it's
accepted by qemu.
Partially resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140164
[snip]
diff --git
a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.args
b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.args
new file mode 100644
index 000000000..9900866cc
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-http.args
@@ -0,0 +1,32 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/home/test \
+USER=test \
+LOGNAME=test \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-i686 \
+-name QEMUGuest1 \
+-S \
+-M pc \
+-m 214 \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-nographic \
+-nodefaults \
+-monitor unix:/tmp/lib/domain--1-QEMUGuest1/monitor.sock,server,nowait \
+-no-acpi \
+-boot c \
+-usb \
+-drive file=http://example.org:80/test.img,format=raw,if=none,\
+id=drive-virtio-disk0 \
+-device virtio-blk-pci,bus=pci.0,addr=0x3,drive=drive-virtio-disk0,\
+id=virtio-disk0 \
+-drive file=https://example.org:443/test2.img,format=raw,if=none,\
+id=drive-virtio-disk1 \
+-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk1,\
+id=virtio-disk1 \
+-drive 'file=http://example.org:1234/test3.img,\
+file.cookie=test=testcookievalue; test2=blurb,format=raw,if=none,\
Your example cookie is rather tame, but I wonder if we should
consider cookie values to be security sensitive data, and thus
use the secrets mechanism. If we did this would also entail fixes
to QEMU to let use its secrets mechanism too.
I'm just wary of re-introducing a bug like CVE-2015-5160 (rbd
password information leak), via sensitive cookie values.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|