[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] ESX: Don't automatically follow redirects.



2009/10/28 Daniel P. Berrange <berrange redhat com>:
> On Wed, Oct 28, 2009 at 09:12:06PM +0100, Matthias Bolte wrote:
>> The default transport for the VI API is HTTPS. If the server redirects
>> from HTTPS to HTTP the driver would silently follow that redirection.
>> The user assumes to communicate with the server over a secure transport
>> but isn't.
>
> Good catch, this is definitely something we don't want to happen.
>
>> This patch disables automatical redirection following. The driver reports
>> an error if the server tries to redirect.
>
> Is the user likely to hit any redirects in the real world, or is this
> just an edge case. If they're likely to hit redirects, then we might
> want to allow a redirect if it points to another paths on the same
> server as the original URI, and is using HTTPS.
>
> Daniel

As far as I can tell it's an edge case.

The available transports can be configured on the ESX server. Default
is HTTPS-only, but you can configure it to use HTTPS+HTTP or
HTTP-only. The ESX server redirects you to the other protocol if you
try to access it via a disabled one. I'm not aware of any other
situation that results in a redirect.

Matthias


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]