Bug 1447413 - RFE: provide a secure way to pass cookies to curl block driver
Summary: RFE: provide a secure way to pass cookies to curl block driver
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Max Reitz
QA Contact: Longxiang Lyu
Keywords: FutureFeature
Depends On:
Blocks: 1140164
TreeView+ depends on / blocked
Reported: 2017-05-02 16:37 UTC by Daniel Berrange
Modified: 2018-04-11 00:16 UTC (History)
14 users (show)

Clone Of:
Last Closed: 2018-04-11 00:16:25 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1104 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2018-04-10 22:54:38 UTC

Description Daniel Berrange 2017-05-02 16:37:26 UTC
Description of problem:
The curl block driver support for HTTP/HTTPS allows cookies to be set via the "cookie" option


qemu-img info 'json: {

this is bad because many cookies are security sensitive (as in this example), essentially equivalent to passwords, and this syntax exposes them on the command line for all to see. 

QEMU has a secrets object which can be used to pass security sensitive data to QEMU without exposing it to snooping. 

The curl driver needs to be extended so that the cookie values can be passed in via secret objects.

This is a pre-requisite for being able to pass cookies into QEMU from libvirt.

A second problem is that the 'cookie' parameter is badly modelled from a QAPI schema. It is using a "str" to encode a list of key, value pairs, where it should be using a qapi list of structs. This likely needs to be fixed at the same time

Version-Release number of selected component (if applicable):

Comment 2 Peter Krempa 2017-07-24 11:36:04 UTC
commit 327c8ebd7035e4d3d94b08dd741906f1d8bb8a53
Author: Peter Krempa <pkrempa@redhat.com>
Date:   Thu May 4 16:00:06 2017 +0200

    block: curl: Allow passing cookies via QCryptoSecret
    Since cookies can contain sensitive data (session ID, etc ...) it is
    desired to hide them from the prying eyes of users. Add a possibility to
    pass them via the secret infrastructure.
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1447413
    Signed-off-by: Peter Krempa <pkrempa@redhat.com>
    Reviewed-by: Eric Blake <eblake@redhat.com>
    Reviewed-by: Jeff Cody <jcody@redhat.com>
    Message-id: f4a22cdebdd0bca6a13a43a2a6deead7f2ec4bb3.1493906281.git.pkrempa@redhat.com
    Signed-off-by: Jeff Cody <jcody@redhat.com>

Comment 4 Longxiang Lyu 2017-10-23 10:40:26 UTC
Hi, Max, could you please give some hint about verification?

Comment 5 Max Reitz 2017-10-25 15:57:48 UTC
Hi loyu,

I set up a script on which displays the raw cookie data passed to it.

You can use it to test the new feature like this:

$ qemu-img convert -f raw -O raw \
  --object secret,id=cookies,data=cookie-data-to-test \
         'file.url':''}" \

And then the file /tmp/cookie-data should contain the string "cookie-data-to-test" (probably padded with zero-bytes to a length of 512 bytes).


Comment 6 Longxiang Lyu 2017-10-26 05:40:15 UTC
Verified that qemu-kvm-rhev-2.10.0-3.el7 supports pass http cookies in the file.

Step to verify:
# qemu-img info "json:{'file.driver':'http','file.cookie-secret':'cookies','file.url':''}" --object secret,id=cookies,data=this-is-a-test
image: json:{"driver": "qcow2", "file": {"url": "", "cookie-secret": "cookies", "driver": "http"}}
file format: qcow2
virtual size: 20G (21474836480 bytes)
disk size: unavailable
cluster_size: 65536
Format specific information:
    compat: 1.1
    lazy refcounts: false
    refcount bits: 16
    corrupt: false

Comment 8 errata-xmlrpc 2018-04-11 00:16:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.