Re: [libvirt] [PATCH 14/14] qemu: command: Add support for HTTP cookies

On Thu, Apr 27, 2017 at 16:30:44 +0100, Daniel Berrange wrote: > On Wed, Apr 26, 2017 at 07:52:44PM +0200, Peter Krempa wrote: > > Format the string into the "curl" format so that it's accepted by qemu. > > > > Partially resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140164 [snip] > Your example cookie is rather tame, but I wonder if we should > consider cookie values to be security sensitive data, and thus > use the secrets mechanism. If we did this would also entail fixes > to QEMU to let use its secrets mechanism too. I thought briefly about the same before posting this, but I went through anyways ... > > I'm just wary of re-introducing a bug like CVE-2015-5160 (rbd > password information leak), via sensitive cookie values. We could allow generic cookies passed on the command line and then perhaps add a <cookie name="ble" secure='yes'>value</cookie> which will be passed via the secrets infrastructure.