rpms/pcs
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Debrand logo

Browse Source
This commit is contained in:
Eduard Abdullin 2025-03-17 07:36:56 +00:00 committed by root
commit 5d330b6225
4 changed files with 68 additions and 6 deletions

2
.gitignore vendored
View File

@ -19,4 +19,4 @@ SOURCES/rexml-3.3.6.gem
SOURCES/ruby2_keywords-0.0.5.gem
SOURCES/sinatra-2.2.4.gem
SOURCES/tilt-2.3.0.gem
SOURCES/tornado-6.1.0.tar.gz
SOURCES/tornado-6.1.0.pcs.1.tar.gz

2
.pcs.metadata
View File

@ -19,4 +19,4 @@ ae09ea83748b55875edc3708fffba90db180cb8e SOURCES/rack-test-2.1.0.gem
d017b9e4d1978e0b3ccc3e2a31493809e4693cd3 SOURCES/ruby2_keywords-0.0.5.gem
fa6a6c98f885e93f54c23dd0454cae906e82c31b SOURCES/sinatra-2.2.4.gem
4a38a9a55887b2882182a2c5771e592efe514e5e SOURCES/tilt-2.3.0.gem
c23c617c7a0205e465bebad5b8cdf289ae8402a2 SOURCES/tornado-6.1.0.tar.gz
c65f61a0f55a342f142f2a6be2d5fcc7f4cab0c9 SOURCES/tornado-6.1.0.pcs.1.tar.gz

52
SOURCES/RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch Normal file
View File

@ -0,0 +1,52 @@
From 6142961fe0e39bdbba0d70f792fc27fb2bc096ba Mon Sep 17 00:00:00 2001
From: Ivan Devat <idevat@redhat.com>
Date: Thu, 7 Mar 2024 16:51:13 +0100
Subject: [PATCH] stop sending http headers to ruby part of pcsd
---
pcs/daemon/ruby_pcsd.py | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/pcs/daemon/ruby_pcsd.py b/pcs/daemon/ruby_pcsd.py
index 4b3b0ea1..e07e17cc 100644
--- a/pcs/daemon/ruby_pcsd.py
+++ b/pcs/daemon/ruby_pcsd.py
@@ -87,13 +87,34 @@ class RubyDaemonRequest(
http_request: HTTPServerRequest = None,
payload=None,
):
- headers = http_request.headers if http_request else HTTPHeaders()
+ # Headers from request are not propagated to ruby part. Ruby part doesn't
+ # work with standard headers in any special way. So, we send only path,
+ # method, query, body and special headers for communication between
+ # python part and ruby part. Tornado then adds necessary default
+ # headers. The motivation here is to prevent processing potentially
+ # maliciously crafted headers by rack.
+ headers = HTTPHeaders()
headers.add("X-Pcsd-Type", request_type)
if payload:
headers.add(
"X-Pcsd-Payload",
b64encode(json.dumps(payload).encode()).decode(),
)
+ if http_request:
+ for key, val in http_request.headers.get_all():
+ # From webui, POST request can come with either
+ # application/x-www-form-urlencoded or application/json content
+ # type. When we remove original HTTP headers, content type is
+ # added by tornado. But in the case of original application/json,
+ # tornado puts application/x-www-form-urlencoded there. To fix
+ # this let's keep the original header here in this case.
+ #
+ # The token, CIB_user and CIB_user_groups are transferred by the
+ # "Cookie" header and these information are evaluated in ruby.
+ if (
+ key.lower() == "content-type" and val == "application/json"
+ ) or key.lower() == "cookie":
+ headers.add(key, val)
return super(RubyDaemonRequest, cls).__new__(
cls,
request_type,
--
2.47.0

18
SPECS/pcs.spec
View File

@ -1,6 +1,6 @@
Name: pcs
Version: 0.10.18
Release: 2%{?dist}.2.alma.1
Release: 2%{?dist}.4.alma.1
# https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
# https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
# GPL-2.0-only: pcs
@ -55,7 +55,7 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
# DO NOT UPDATE
# Tornado 6.2 requires Python 3.7+
%global tornado_version 6.1.0
%global tornado_version 6.1.0.pcs.1
%global pcs_bundled_dir pcs_bundled
%global pcsd_public_dir pcsd/public
@ -87,7 +87,7 @@ Source0: %{url}/archive/%{?v_prefix}%{version_or_commit}/%{pcs_source_name}.tar.
Source1: HAM-logo.png
Source41: https://github.com/ondrejmular/pyagentx/archive/v%{pyagentx_version}/pyagentx-%{pyagentx_version}.tar.gz
Source42: https://github.com/tornadoweb/tornado/archive/v%{tornado_version}/tornado-%{tornado_version}.tar.gz
Source42: https://github.com/CtrlZmaster/tornado/archive/v%{tornado_version}/tornado-%{tornado_version}.tar.gz
Source43: https://github.com/ericvsmith/dataclasses/archive/%{dataclasses_version}/dataclasses-%{dataclasses_version}.tar.gz
Source44: https://github.com/konradhalas/dacite/archive/v%{dacite_version}/dacite-%{dacite_version}.tar.gz
Source45: https://pypi.python.org/packages/source/p/python-dateutil/python-dateutil-%{dateutil_version}.tar.gz
@ -115,6 +115,7 @@ Source95: https://rubygems.org/downloads/ruby2_keywords-%{version_rubygem_ruby2_
# Patch1: bzNUMBER-01-name.patch
Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch
Patch2: RHEL-17280-01-disable-new-webui-routes.patch
Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
# git for patches
BuildRequires: git-core
@ -304,6 +305,7 @@ update_times_patch(){
# update_times_patch %%{PATCH1}
update_times_patch %{PATCH1}
update_times_patch %{PATCH2}
update_times_patch %{PATCH3}
# generate .tarball-version if building from an untagged commit, not a released version
# autogen uses git-version-gen which uses .tarball-version for generating version number
@ -560,9 +562,17 @@ remove_all_tests
%license pyagentx_LICENSE.txt
%changelog
* Mon Sep 16 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.10.18-2.el8_10.2.alma
* Mon Mar 17 2025 Eduard Abdullin <eabdullin@almalinux.org> - 0.10.18-2.4.alma.1
- Debrand logo
* Tue Mar 4 2025 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2%dist.3
- Fixed CVE-2024-52804 by patching bundled Tornado
Resolves: RHEL-81924
* Wed Dec 4 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2.el8_10.3
- Prevented any future HTTP header-based attacks on puma/sinatra by removing any headers not recognized by pcsd
Resolves: RHEL-65595
* Thu Aug 29 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2.el8_10.2
- Updated rubygem rexml
Resolves: RHEL-52409, RHEL-52788, RHEL-55997