Red Hat Bugzilla – Bug 1447413
RFE: provide a secure way to pass cookies to curl block driver
Last modified: 2018-04-10 20:16:25 EDT
Description of problem: The curl block driver support for HTTP/HTTPS allows cookies to be set via the "cookie" option eg qemu-img info 'json: { "file.driver":"https", "file.url":"https://vcenter/folder/Windows%202003/Windows%202003-flat.vmdk?dcPath=Datacenter&dsName=datastore1", "file.sslverify":"off", "file.cookie":"vmware_soap_session=\"52a01262-bf93-ccce-d379-8dabb3e55560\""}' this is bad because many cookies are security sensitive (as in this example), essentially equivalent to passwords, and this syntax exposes them on the command line for all to see. QEMU has a secrets object which can be used to pass security sensitive data to QEMU without exposing it to snooping. The curl driver needs to be extended so that the cookie values can be passed in via secret objects. This is a pre-requisite for being able to pass cookies into QEMU from libvirt. A second problem is that the 'cookie' parameter is badly modelled from a QAPI schema. It is using a "str" to encode a list of key, value pairs, where it should be using a qapi list of structs. This likely needs to be fixed at the same time Version-Release number of selected component (if applicable): 2.9.0
commit 327c8ebd7035e4d3d94b08dd741906f1d8bb8a53 Author: Peter Krempa <pkrempa@redhat.com> Date: Thu May 4 16:00:06 2017 +0200 block: curl: Allow passing cookies via QCryptoSecret Since cookies can contain sensitive data (session ID, etc ...) it is desired to hide them from the prying eyes of users. Add a possibility to pass them via the secret infrastructure. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1447413 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Jeff Cody <jcody@redhat.com> Message-id: f4a22cdebdd0bca6a13a43a2a6deead7f2ec4bb3.1493906281.git.pkrempa@redhat.com Signed-off-by: Jeff Cody <jcody@redhat.com>
Hi, Max, could you please give some hint about verification?
Hi loyu, I set up a script on http://78.47.108.109:8080/cgi-bin/cookie-test.rb which displays the raw cookie data passed to it. You can use it to test the new feature like this: $ qemu-img convert -f raw -O raw \ --object secret,id=cookies,data=cookie-data-to-test \ "json:{'file.driver':'http', 'file.cookie-secret':'cookies', 'file.url':'http://78.47.108.109:8080/cgi-bin/cookie-test.rb'}" \ /tmp/cookie-data And then the file /tmp/cookie-data should contain the string "cookie-data-to-test" (probably padded with zero-bytes to a length of 512 bytes). Max
Verified that qemu-kvm-rhev-2.10.0-3.el7 supports pass http cookies in the file. Step to verify: # qemu-img info "json:{'file.driver':'http','file.cookie-secret':'cookies','file.url':'http://10.66.11.1/image/rhel74-64-virtio.qcow2'}" --object secret,id=cookies,data=this-is-a-test image: json:{"driver": "qcow2", "file": {"url": "http://10.66.11.1/image/rhel74-64-virtio.qcow2", "cookie-secret": "cookies", "driver": "http"}} file format: qcow2 virtual size: 20G (21474836480 bytes) disk size: unavailable cluster_size: 65536 Format specific information: compat: 1.1 lazy refcounts: false refcount bits: 16 corrupt: false
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1104