4 changed files with 8 additions and 78 deletions
--- a/.gitignore
+++ b/.gitignore
@ -12,10 +12,10 @@ SOURCES/pcs-0.10.18.tar.gz
 SOURCES/puma-6.4.0.gem
 SOURCES/pyagentx-0.4.pcs.2.tar.gz
 SOURCES/python-dateutil-2.8.2.tar.gz
-SOURCES/rack-2.2.8.1.gem
+SOURCES/rack-2.2.8.gem
 SOURCES/rack-protection-2.2.4.gem
 SOURCES/rack-test-2.1.0.gem
-SOURCES/rexml-3.3.6.gem
+SOURCES/rexml-3.2.6.gem
 SOURCES/ruby2_keywords-0.0.5.gem
 SOURCES/sinatra-2.2.4.gem
 SOURCES/tilt-2.3.0.gem
--- a/.pcs.metadata
+++ b/.pcs.metadata
@ -12,10 +12,10 @@ b3cd873042b17021355b68f1f7aa313f0c1f3fee SOURCES/pcs-0.10.18.tar.gz
 d6049c4555f3c9d198e6eb1d7e53ce9b68e175ff SOURCES/puma-6.4.0.gem
 3176b2f2b332c2b6bf79fe882e83feecf3d3f011 SOURCES/pyagentx-0.4.pcs.2.tar.gz
 c2ba10c775b7a52a4b57cac4d4110a0c0f812a82 SOURCES/python-dateutil-2.8.2.tar.gz
-fcdee79d1b0bb7e3666bad96321fc124bc8215e9 SOURCES/rack-2.2.8.1.gem
+f0cdb53d6ed96f91851c32bccf9b21c4662afd2d SOURCES/rack-2.2.8.gem
 5347315a7283f0b04443e924ed4eaa17807432c8 SOURCES/rack-protection-2.2.4.gem
 ae09ea83748b55875edc3708fffba90db180cb8e SOURCES/rack-test-2.1.0.gem
-89f8446e89976f3677767d426a4edc6ccba574be SOURCES/rexml-3.3.6.gem
+c88fc3ffdbde9dd49b24b4d9876673533b4aba76 SOURCES/rexml-3.2.6.gem
 d017b9e4d1978e0b3ccc3e2a31493809e4693cd3 SOURCES/ruby2_keywords-0.0.5.gem
 fa6a6c98f885e93f54c23dd0454cae906e82c31b SOURCES/sinatra-2.2.4.gem
 4a38a9a55887b2882182a2c5771e592efe514e5e SOURCES/tilt-2.3.0.gem
--- a/SOURCES/RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
+++ b/SOURCES/RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
@ -1,52 +0,0 @@
-From 6142961fe0e39bdbba0d70f792fc27fb2bc096ba Mon Sep 17 00:00:00 2001
-From: Ivan Devat <idevat@redhat.com>
-Date: Thu, 7 Mar 2024 16:51:13 +0100
-Subject: [PATCH] stop sending http headers to ruby part of pcsd
-
---
- pcs/daemon/ruby_pcsd.py | 23 ++++++++++++++++++++++-
- 1 file changed, 22 insertions(+), 1 deletion(-)
-
-diff --git a/pcs/daemon/ruby_pcsd.py b/pcs/daemon/ruby_pcsd.py
-index 4b3b0ea1..e07e17cc 100644
--- a/pcs/daemon/ruby_pcsd.py
-+++ b/pcs/daemon/ruby_pcsd.py
-@@ -87,13 +87,34 @@ class RubyDaemonRequest(
-         http_request: HTTPServerRequest = None,
-         payload=None,
-     ):
-        headers = http_request.headers if http_request else HTTPHeaders()
-+        # Headers from request are not propagated to ruby part. Ruby part doesn't
-+        # work with standard headers in any special way. So, we send only path,
-+        # method, query, body and special headers for communication between
-+        # python part and ruby part. Tornado then adds necessary default
-+        # headers. The motivation here is to prevent processing potentially
-+        # maliciously crafted headers by rack.
-+        headers = HTTPHeaders()
-         headers.add("X-Pcsd-Type", request_type)
-         if payload:
-             headers.add(
-                 "X-Pcsd-Payload",
-                 b64encode(json.dumps(payload).encode()).decode(),
-             )
-+        if http_request:
-+            for key, val in http_request.headers.get_all():
-+                # From webui, POST request can come with either
-+                # application/x-www-form-urlencoded or application/json content
-+                # type. When we remove original HTTP headers, content type is
-+                # added by tornado. But in the case of original application/json,
-+                # tornado puts application/x-www-form-urlencoded there. To fix
-+                # this let's keep the original header here in this case.
-+                #
-+                # The token, CIB_user and CIB_user_groups are transferred by the
-+                # "Cookie" header and these information are evaluated in ruby.
-+                if (
-+                    key.lower() == "content-type" and val == "application/json"
-+                ) or key.lower() == "cookie":
-+                    headers.add(key, val)
-         return super(RubyDaemonRequest, cls).__new__(
-             cls,
-             request_type,
-- 
-2.47.0
-
--- a/SPECS/pcs.spec
+++ b/SPECS/pcs.spec
@ -1,6 +1,6 @@
 Name: pcs
 Version: 0.10.18
-Release: 2%{?dist}.3
+Release: 1%{?dist}
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
@ -39,10 +39,10 @@ ExclusiveArch: i686 x86_64 s390x ppc64le aarch64
 %global version_rubygem_nio4r 2.5.9
 %global version_rubygem_open4  1.3.4
 %global version_rubygem_puma 6.4.0
-%global version_rubygem_rack  2.2.8.1
+%global version_rubygem_rack  2.2.8
 %global version_rubygem_rack_protection  2.2.4
 %global version_rubygem_rack_test  2.1.0
-%global version_rubygem_rexml  3.3.6
+%global version_rubygem_rexml  3.2.6
 %global version_rubygem_ruby2_keywords  0.0.5
 %global version_rubygem_sinatra  2.2.4
 %global version_rubygem_tilt  2.3.0
@ -115,7 +115,6 @@ Source95: https://rubygems.org/downloads/ruby2_keywords-%{version_rubygem_ruby2_
 # Patch1: bzNUMBER-01-name.patch
 Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch
 Patch2: RHEL-17280-01-disable-new-webui-routes.patch
-Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch

 # git for patches
 BuildRequires: git-core
@ -241,7 +240,7 @@ Summary: Pacemaker cluster SNMP agent
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
 # BSD-2-Clause: pyagentx
-License: GPL-2.0-only AND BSD-2-Clause
+License: GPL-2.0-only and BSD-2-Clause
 URL: https://github.com/ClusterLabs/pcs

 # tar for unpacking pyagentx source tarball
@ -305,7 +304,6 @@ update_times_patch(){
 # update_times_patch %%{PATCH1}
 update_times_patch %{PATCH1}
 update_times_patch %{PATCH2}
-update_times_patch %{PATCH3}

 # generate .tarball-version if building from an untagged commit, not a released version
 # autogen uses git-version-gen which uses .tarball-version for generating version number
@ -562,22 +560,6 @@ remove_all_tests
 %license pyagentx_LICENSE.txt

 %changelog
-* Wed Dec 4 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2.el8_10.3
- Prevented any future HTTP header-based attacks on puma/sinatra by removing any headers not recognized by pcsd
-  Resolves: RHEL-65595
-
-* Thu Aug 29 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2.el8_10.2
- Updated rubygem rexml
-  Resolves: RHEL-52409, RHEL-52788, RHEL-55997
-
-* Wed Mar 20 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2
- Updated rubygem rexml
-  Resolves: RHEL-37883
-
-* Wed Mar 20 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2
- Fixed CVE-2024-25126, CVE-2024-26141, CVE-2024-26146 in bundled dependency rack
-  Resolves: RHEL-26445, RHEL-26447, RHEL-26449
-
 * Mon Jan 8 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-1
 - Rebased to the latest sources (see CHANGELOG.md)
  Resolves: RHEL-7741