On Mon, Nov 02, 2009 at 05:24:38PM +0100, Matthias Bolte wrote:
2009/10/29 Matthias Bolte <matthias.bolte@googlemail.com>:
2009/10/28 Daniel P. Berrange <berrange@redhat.com>:
On Wed, Oct 28, 2009 at 09:12:06PM +0100, Matthias Bolte wrote:
The default transport for the VI API is HTTPS. If the server redirects from HTTPS to HTTP the driver would silently follow that redirection. The user assumes to communicate with the server over a secure transport but isn't.
Good catch, this is definitely something we don't want to happen.
This patch disables automatical redirection following. The driver reports an error if the server tries to redirect.
Is the user likely to hit any redirects in the real world, or is this just an edge case. If they're likely to hit redirects, then we might want to allow a redirect if it points to another paths on the same server as the original URI, and is using HTTPS.
Daniel
As far as I can tell it's an edge case.
The available transports can be configured on the ESX server. Default is HTTPS-only, but you can configure it to use HTTPS+HTTP or HTTP-only. The ESX server redirects you to the other protocol if you try to access it via a disabled one. I'm not aware of any other situation that results in a redirect.
Matthias
If not doubts are left then I'm going to push this 5 ESX patches.
ACK, works for me Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|