Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
The curl block driver support for HTTP/HTTPS allows cookies to be set via the "cookie" option
eg
qemu-img info 'json: {
"file.driver":"https",
"file.url":"https://vcenter/folder/Windows%202003/Windows%202003-flat.vmdk?dcPath=Datacenter&dsName=datastore1",
"file.sslverify":"off",
"file.cookie":"vmware_soap_session=\"52a01262-bf93-ccce-d379-8dabb3e55560\""}'
this is bad because many cookies are security sensitive (as in this example), essentially equivalent to passwords, and this syntax exposes them on the command line for all to see.
QEMU has a secrets object which can be used to pass security sensitive data to QEMU without exposing it to snooping.
The curl driver needs to be extended so that the cookie values can be passed in via secret objects.
This is a pre-requisite for being able to pass cookies into QEMU from libvirt.
A second problem is that the 'cookie' parameter is badly modelled from a QAPI schema. It is using a "str" to encode a list of key, value pairs, where it should be using a qapi list of structs. This likely needs to be fixed at the same time
Version-Release number of selected component (if applicable):
2.9.0
commit 327c8ebd7035e4d3d94b08dd741906f1d8bb8a53
Author: Peter Krempa <pkrempa>
Date: Thu May 4 16:00:06 2017 +0200
block: curl: Allow passing cookies via QCryptoSecret
Since cookies can contain sensitive data (session ID, etc ...) it is
desired to hide them from the prying eyes of users. Add a possibility to
pass them via the secret infrastructure.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1447413
Signed-off-by: Peter Krempa <pkrempa>
Reviewed-by: Eric Blake <eblake>
Reviewed-by: Jeff Cody <jcody>
Message-id: f4a22cdebdd0bca6a13a43a2a6deead7f2ec4bb3.1493906281.git.pkrempa
Signed-off-by: Jeff Cody <jcody>
Hi loyu,
I set up a script on http://78.47.108.109:8080/cgi-bin/cookie-test.rb which displays the raw cookie data passed to it.
You can use it to test the new feature like this:
$ qemu-img convert -f raw -O raw \
--object secret,id=cookies,data=cookie-data-to-test \
"json:{'file.driver':'http',
'file.cookie-secret':'cookies',
'file.url':'http://78.47.108.109:8080/cgi-bin/cookie-test.rb'}" \
/tmp/cookie-data
And then the file /tmp/cookie-data should contain the string "cookie-data-to-test" (probably padded with zero-bytes to a length of 512 bytes).
Max
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2018:1104
Description of problem: The curl block driver support for HTTP/HTTPS allows cookies to be set via the "cookie" option eg qemu-img info 'json: { "file.driver":"https", "file.url":"https://vcenter/folder/Windows%202003/Windows%202003-flat.vmdk?dcPath=Datacenter&dsName=datastore1", "file.sslverify":"off", "file.cookie":"vmware_soap_session=\"52a01262-bf93-ccce-d379-8dabb3e55560\""}' this is bad because many cookies are security sensitive (as in this example), essentially equivalent to passwords, and this syntax exposes them on the command line for all to see. QEMU has a secrets object which can be used to pass security sensitive data to QEMU without exposing it to snooping. The curl driver needs to be extended so that the cookie values can be passed in via secret objects. This is a pre-requisite for being able to pass cookies into QEMU from libvirt. A second problem is that the 'cookie' parameter is badly modelled from a QAPI schema. It is using a "str" to encode a list of key, value pairs, where it should be using a qapi list of structs. This likely needs to be fixed at the same time Version-Release number of selected component (if applicable): 2.9.0