[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] ESX: Don't automatically follow redirects.



On Wed, Oct 28, 2009 at 09:12:06PM +0100, Matthias Bolte wrote:
> The default transport for the VI API is HTTPS. If the server redirects
> from HTTPS to HTTP the driver would silently follow that redirection.
> The user assumes to communicate with the server over a secure transport
> but isn't.

Good catch, this is definitely something we don't want to happen.

> This patch disables automatical redirection following. The driver reports
> an error if the server tries to redirect.

Is the user likely to hit any redirects in the real world, or is this
just an edge case. If they're likely to hit redirects, then we might
want to allow a redirect if it points to another paths on the same
server as the original URI, and is using HTTPS.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]