[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] block: curl: Allow passing cookies via QCryptoS
From: |
Eric Blake |
Subject: |
Re: [Qemu-devel] [PATCH] block: curl: Allow passing cookies via QCryptoSecret |
Date: |
Thu, 4 May 2017 09:22:19 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.0 |
On 05/04/2017 09:00 AM, Peter Krempa wrote:
> Since cookies can contain sensitive data (session ID, etc ...) it is
> desired to hide them from the prying eyes of users. Add a possibility to
> pass them via the secret infrastructure.
>
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1447413
>
> Signed-off-by: Peter Krempa <address@hidden>
> ---
> block/curl.c | 24 +++++++++++++++++++++++-
> qapi/block-core.json | 12 ++++++++++--
> 2 files changed, 33 insertions(+), 3 deletions(-)
>
> + if (cookie_secret) {
> + s->cookie = qcrypto_secret_lookup_as_utf8(cookie_secret, errp);
> + if (!s->cookie) {
> + goto out_noclean;
> + }
Can s->cookie ever be exposed back to the user (such as via a
query-block command)? If so, we should rather store cookie_secret for
display to the user, rather than the decoded version.
But I couldn't see where we would expose it, so I think you are safe.
I'd wait for another review, probably from Dan since he is the
secret-object expert, but I'm comfortable if you add:
Reviewed-by: Eric Blake <address@hidden>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature