pcs-0.10.18-2.el8_10.3
- Prevented any future HTTP header-based attacks on puma/sinatra by removing any headers not recognized by pcsd Resolves: RHEL-65595
This commit is contained in:
		
							parent
							
								
									ff054b423f
								
							
						
					
					
						commit
						6b97a2ee75
					
				| @ -0,0 +1,52 @@ | |||||||
|  | From 6142961fe0e39bdbba0d70f792fc27fb2bc096ba Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Ivan Devat <idevat@redhat.com> | ||||||
|  | Date: Thu, 7 Mar 2024 16:51:13 +0100 | ||||||
|  | Subject: [PATCH] stop sending http headers to ruby part of pcsd | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  pcs/daemon/ruby_pcsd.py | 23 ++++++++++++++++++++++- | ||||||
|  |  1 file changed, 22 insertions(+), 1 deletion(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/pcs/daemon/ruby_pcsd.py b/pcs/daemon/ruby_pcsd.py
 | ||||||
|  | index 4b3b0ea1..e07e17cc 100644
 | ||||||
|  | --- a/pcs/daemon/ruby_pcsd.py
 | ||||||
|  | +++ b/pcs/daemon/ruby_pcsd.py
 | ||||||
|  | @@ -87,13 +87,34 @@ class RubyDaemonRequest(
 | ||||||
|  |          http_request: HTTPServerRequest = None, | ||||||
|  |          payload=None, | ||||||
|  |      ): | ||||||
|  | -        headers = http_request.headers if http_request else HTTPHeaders()
 | ||||||
|  | +        # Headers from request are not propagated to ruby part. Ruby part doesn't
 | ||||||
|  | +        # work with standard headers in any special way. So, we send only path,
 | ||||||
|  | +        # method, query, body and special headers for communication between
 | ||||||
|  | +        # python part and ruby part. Tornado then adds necessary default
 | ||||||
|  | +        # headers. The motivation here is to prevent processing potentially
 | ||||||
|  | +        # maliciously crafted headers by rack.
 | ||||||
|  | +        headers = HTTPHeaders()
 | ||||||
|  |          headers.add("X-Pcsd-Type", request_type) | ||||||
|  |          if payload: | ||||||
|  |              headers.add( | ||||||
|  |                  "X-Pcsd-Payload", | ||||||
|  |                  b64encode(json.dumps(payload).encode()).decode(), | ||||||
|  |              ) | ||||||
|  | +        if http_request:
 | ||||||
|  | +            for key, val in http_request.headers.get_all():
 | ||||||
|  | +                # From webui, POST request can come with either
 | ||||||
|  | +                # application/x-www-form-urlencoded or application/json content
 | ||||||
|  | +                # type. When we remove original HTTP headers, content type is
 | ||||||
|  | +                # added by tornado. But in the case of original application/json,
 | ||||||
|  | +                # tornado puts application/x-www-form-urlencoded there. To fix
 | ||||||
|  | +                # this let's keep the original header here in this case.
 | ||||||
|  | +                #
 | ||||||
|  | +                # The token, CIB_user and CIB_user_groups are transferred by the
 | ||||||
|  | +                # "Cookie" header and these information are evaluated in ruby.
 | ||||||
|  | +                if (
 | ||||||
|  | +                    key.lower() == "content-type" and val == "application/json"
 | ||||||
|  | +                ) or key.lower() == "cookie":
 | ||||||
|  | +                    headers.add(key, val)
 | ||||||
|  |          return super(RubyDaemonRequest, cls).__new__( | ||||||
|  |              cls, | ||||||
|  |              request_type, | ||||||
|  | -- 
 | ||||||
|  | 2.47.0 | ||||||
|  | 
 | ||||||
							
								
								
									
										8
									
								
								pcs.spec
									
									
									
									
									
								
							
							
						
						
									
										8
									
								
								pcs.spec
									
									
									
									
									
								
							| @ -1,6 +1,6 @@ | |||||||
| Name: pcs | Name: pcs | ||||||
| Version: 0.10.18 | Version: 0.10.18 | ||||||
| Release: 2%{?dist}.2 | Release: 2%{?dist}.3 | ||||||
| # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/ | # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/ | ||||||
| # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses | # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses | ||||||
| # GPL-2.0-only: pcs | # GPL-2.0-only: pcs | ||||||
| @ -115,6 +115,7 @@ Source95: https://rubygems.org/downloads/ruby2_keywords-%{version_rubygem_ruby2_ | |||||||
| # Patch1: bzNUMBER-01-name.patch | # Patch1: bzNUMBER-01-name.patch | ||||||
| Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch | Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch | ||||||
| Patch2: RHEL-17280-01-disable-new-webui-routes.patch | Patch2: RHEL-17280-01-disable-new-webui-routes.patch | ||||||
|  | Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch | ||||||
| 
 | 
 | ||||||
| # git for patches | # git for patches | ||||||
| BuildRequires: git-core | BuildRequires: git-core | ||||||
| @ -304,6 +305,7 @@ update_times_patch(){ | |||||||
| # update_times_patch %%{PATCH1} | # update_times_patch %%{PATCH1} | ||||||
| update_times_patch %{PATCH1} | update_times_patch %{PATCH1} | ||||||
| update_times_patch %{PATCH2} | update_times_patch %{PATCH2} | ||||||
|  | update_times_patch %{PATCH3} | ||||||
| 
 | 
 | ||||||
| # generate .tarball-version if building from an untagged commit, not a released version | # generate .tarball-version if building from an untagged commit, not a released version | ||||||
| # autogen uses git-version-gen which uses .tarball-version for generating version number | # autogen uses git-version-gen which uses .tarball-version for generating version number | ||||||
| @ -560,6 +562,10 @@ remove_all_tests | |||||||
| %license pyagentx_LICENSE.txt | %license pyagentx_LICENSE.txt | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Wed Dec 4 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2.el8_10.3 | ||||||
|  | - Prevented any future HTTP header-based attacks on puma/sinatra by removing any headers not recognized by pcsd | ||||||
|  |   Resolves: RHEL-65595 | ||||||
|  | 
 | ||||||
| * Thu Aug 29 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2.el8_10.2 | * Thu Aug 29 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2.el8_10.2 | ||||||
| - Updated rubygem rexml | - Updated rubygem rexml | ||||||
|   Resolves: RHEL-52409, RHEL-52788, RHEL-55997 |   Resolves: RHEL-52409, RHEL-52788, RHEL-55997 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user