RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1447413 - RFE: provide a secure way to pass cookies to curl block driver
Summary: RFE: provide a secure way to pass cookies to curl block driver
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Hanna Czenczek
QA Contact: Longxiang Lyu
URL:
Whiteboard:
Depends On:
Blocks: 1140164
TreeView+ depends on / blocked
 
Reported: 2017-05-02 16:37 UTC by Daniel Berrangé
Modified: 2018-04-11 00:16 UTC (History)
14 users (show)

Fixed In Version: qemu-kvm-rhev-2.10.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-11 00:16:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1104 0 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2018-04-10 22:54:38 UTC

Description Daniel Berrangé 2017-05-02 16:37:26 UTC 
Description of problem:
The curl block driver support for HTTP/HTTPS allows cookies to be set via the "cookie" option

eg 

qemu-img info 'json: {
        "file.driver":"https",
        "file.url":"https://vcenter/folder/Windows%202003/Windows%202003-flat.vmdk?dcPath=Datacenter&dsName=datastore1",
        "file.sslverify":"off",
        "file.cookie":"vmware_soap_session=\"52a01262-bf93-ccce-d379-8dabb3e55560\""}'

this is bad because many cookies are security sensitive (as in this example), essentially equivalent to passwords, and this syntax exposes them on the command line for all to see. 

QEMU has a secrets object which can be used to pass security sensitive data to QEMU without exposing it to snooping. 

The curl driver needs to be extended so that the cookie values can be passed in via secret objects.

This is a pre-requisite for being able to pass cookies into QEMU from libvirt.

A second problem is that the 'cookie' parameter is badly modelled from a QAPI schema. It is using a "str" to encode a list of key, value pairs, where it should be using a qapi list of structs. This likely needs to be fixed at the same time


Version-Release number of selected component (if applicable):
2.9.0
Comment 2 Peter Krempa 2017-07-24 11:36:04 UTC 
commit 327c8ebd7035e4d3d94b08dd741906f1d8bb8a53
Author: Peter Krempa <pkrempa>
Date:   Thu May 4 16:00:06 2017 +0200

    block: curl: Allow passing cookies via QCryptoSecret
    
    Since cookies can contain sensitive data (session ID, etc ...) it is
    desired to hide them from the prying eyes of users. Add a possibility to
    pass them via the secret infrastructure.
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1447413
    
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Eric Blake <eblake>
    Reviewed-by: Jeff Cody <jcody>
    Message-id: f4a22cdebdd0bca6a13a43a2a6deead7f2ec4bb3.1493906281.git.pkrempa
    Signed-off-by: Jeff Cody <jcody>
Comment 4 Longxiang Lyu 2017-10-23 10:40:26 UTC 
Hi, Max, could you please give some hint about verification?
Comment 5 Hanna Czenczek 2017-10-25 15:57:48 UTC 
Hi loyu,

I set up a script on http://78.47.108.109:8080/cgi-bin/cookie-test.rb which displays the raw cookie data passed to it.

You can use it to test the new feature like this:

$ qemu-img convert -f raw -O raw \
  --object secret,id=cookies,data=cookie-data-to-test \
  "json:{'file.driver':'http',
         'file.cookie-secret':'cookies',
         'file.url':'http://78.47.108.109:8080/cgi-bin/cookie-test.rb'}" \
  /tmp/cookie-data

And then the file /tmp/cookie-data should contain the string "cookie-data-to-test" (probably padded with zero-bytes to a length of 512 bytes).


Max
Comment 6 Longxiang Lyu 2017-10-26 05:40:15 UTC 
Verified that qemu-kvm-rhev-2.10.0-3.el7 supports pass http cookies in the file.

Step to verify:
# qemu-img info "json:{'file.driver':'http','file.cookie-secret':'cookies','file.url':'http://10.66.11.1/image/rhel74-64-virtio.qcow2'}" --object secret,id=cookies,data=this-is-a-test
image: json:{"driver": "qcow2", "file": {"url": "http://10.66.11.1/image/rhel74-64-virtio.qcow2", "cookie-secret": "cookies", "driver": "http"}}
file format: qcow2
virtual size: 20G (21474836480 bytes)
disk size: unavailable
cluster_size: 65536
Format specific information:
    compat: 1.1
    lazy refcounts: false
    refcount bits: 16
    corrupt: false
Comment 8 errata-xmlrpc 2018-04-11 00:16:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1104
Note You need to log in before you can comment on or make changes to this bug.