Re: [libvirt] [PATCH 14/14] qemu: command: Add support for HTTP cookies
On Thu, Apr 27, 2017 at 16:30:44 +0100, Daniel Berrange wrote:
On Wed, Apr 26, 2017 at 07:52:44PM +0200, Peter Krempa wrote:
> Format the string into the "curl" format so that it's accepted by
qemu.
>
> Partially resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140164
[snip]
Your example cookie is rather tame, but I wonder if we should
consider cookie values to be security sensitive data, and thus
use the secrets mechanism. If we did this would also entail fixes
to QEMU to let use its secrets mechanism too.
I thought briefly about the same before posting this, but I went through
anyways ...
I'm just wary of re-introducing a bug like CVE-2015-5160 (rbd
password information leak), via sensitive cookie values.
We could allow generic cookies passed on the command line
and then perhaps add a <cookie name="ble"
secure='yes'>value</cookie>
which will be passed via the secrets infrastructure.
In that case I should probably add a statement saying that the cookies
are passed in a insecure way.,
This way generic cookies can be passed even now and the provision for
secure cookies can be added once qemu adds that feature.
Peter
Attachments:
- signature.asc (application/pgp-signature — 833 bytes)