On Thu, Apr 27, 2017 at 17:46:16 +0200, Peter Krempa wrote: > On Thu, Apr 27, 2017 at 16:30:44 +0100, Daniel Berrange wrote: > > On Wed, Apr 26, 2017 at 07:52:44PM +0200, Peter Krempa wrote: > > > Format the string into the "curl" format so that it's accepted by qemu. > > > > > > Partially resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140164 > > [snip] > > > Your example cookie is rather tame, but I wonder if we should > > consider cookie values to be security sensitive data, and thus > > use the secrets mechanism. If we did this would also entail fixes > > to QEMU to let use its secrets mechanism too. > > I thought briefly about the same before posting this, but I went through > anyways ... > > > > > I'm just wary of re-introducing a bug like CVE-2015-5160 (rbd > > password information leak), via sensitive cookie values. > > We could allow generic cookies passed on the command line > and then perhaps add a <cookie name="ble" secure='yes'>value</cookie> > which will be passed via the secrets infrastructure. Or better, treat them as secure by default and make users add secure='no' explicitly so that they are aware of the way we pass it.
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
