On Thu, Apr 27, 2017 at 05:46:16PM +0200, Peter Krempa wrote: > On Thu, Apr 27, 2017 at 16:30:44 +0100, Daniel Berrange wrote: > > On Wed, Apr 26, 2017 at 07:52:44PM +0200, Peter Krempa wrote: > > > Format the string into the "curl" format so that it's accepted by qemu. > > > > > > Partially resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140164 > > [snip] > > > Your example cookie is rather tame, but I wonder if we should > > consider cookie values to be security sensitive data, and thus > > use the secrets mechanism. If we did this would also entail fixes > > to QEMU to let use its secrets mechanism too. > > I thought briefly about the same before posting this, but I went through > anyways ... > > > > > I'm just wary of re-introducing a bug like CVE-2015-5160 (rbd > > password information leak), via sensitive cookie values. > > We could allow generic cookies passed on the command line > and then perhaps add a <cookie name="ble" secure='yes'>value</cookie> > which will be passed via the secrets infrastructure. > > In that case I should probably add a statement saying that the cookies > are passed in a insecure way., > > This way generic cookies can be passed even now and the provision for > secure cookies can be added once qemu adds that feature. The thing is it feels like the compelling reason to use cookies in context of QEMU is precisely as an authorization mechanism. Even if we document them as "insecure" people will do it anyway, and the security flaw that results will be a libvirt CVE because we don't provide apps an alternative todo what they need. In addition, if the connection is using https: protocol, then I we think we should be doing encryption for all cookies, and not expect apps to set a secure=yes|no flag in the XML. Last time we accepted a temporary insecure solution we waited 5 years for QEMU to get us a fix... So I'm inclined to NACK this feature until QEMU provides us a way to handle cookies securely. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
