On Thu, Apr 27, 2017 at 16:30:44 +0100, Daniel Berrange wrote: > On Wed, Apr 26, 2017 at 07:52:44PM +0200, Peter Krempa wrote: > > Format the string into the "curl" format so that it's accepted by qemu. > > > > Partially resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140164 [snip] > Your example cookie is rather tame, but I wonder if we should > consider cookie values to be security sensitive data, and thus > use the secrets mechanism. If we did this would also entail fixes > to QEMU to let use its secrets mechanism too. I thought briefly about the same before posting this, but I went through anyways ... > > I'm just wary of re-introducing a bug like CVE-2015-5160 (rbd > password information leak), via sensitive cookie values. We could allow generic cookies passed on the command line and then perhaps add a <cookie name="ble" secure='yes'>value</cookie> which will be passed via the secrets infrastructure. In that case I should probably add a statement saying that the cookies are passed in a insecure way., This way generic cookies can be passed even now and the provision for secure cookies can be added once qemu adds that feature. Peter
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
