Compare commits
No commits in common. "c8" and "c9-beta" have entirely different histories.
38
.gitignore
vendored
38
.gitignore
vendored
@ -1,22 +1,22 @@
|
||||
SOURCES/HAM-logo.png
|
||||
SOURCES/backports-3.24.1.gem
|
||||
SOURCES/dacite-1.8.1.tar.gz
|
||||
SOURCES/dataclasses-0.8.tar.gz
|
||||
SOURCES/backports-3.25.1.gem
|
||||
SOURCES/base64-0.2.0.gem
|
||||
SOURCES/childprocess-5.1.0.gem
|
||||
SOURCES/dacite-1.9.2.tar.gz
|
||||
SOURCES/ethon-0.16.0.gem
|
||||
SOURCES/ffi-1.16.3.gem
|
||||
SOURCES/json-2.6.3.gem
|
||||
SOURCES/mustermann-2.0.2.gem
|
||||
SOURCES/nio4r-2.5.9.gem
|
||||
SOURCES/open4-1.3.4-1.gem
|
||||
SOURCES/pcs-0.10.18.tar.gz
|
||||
SOURCES/puma-6.4.0.gem
|
||||
SOURCES/ffi-1.17.2.gem
|
||||
SOURCES/logger-1.7.0.gem
|
||||
SOURCES/mustermann-3.0.3.gem
|
||||
SOURCES/nio4r-2.7.4.gem
|
||||
SOURCES/pcs-0.11.10.tar.gz
|
||||
SOURCES/pcs-web-ui-0.1.23.tar.gz
|
||||
SOURCES/pcs-web-ui-node-modules-0.1.23.tar.xz
|
||||
SOURCES/puma-6.6.0.gem
|
||||
SOURCES/pyagentx-0.4.pcs.2.tar.gz
|
||||
SOURCES/python-dateutil-2.8.2.tar.gz
|
||||
SOURCES/rack-2.2.20.gem
|
||||
SOURCES/rack-protection-2.2.4.gem
|
||||
SOURCES/rack-test-2.1.0.gem
|
||||
SOURCES/rexml-3.4.1.gem
|
||||
SOURCES/rack-3.1.16.gem
|
||||
SOURCES/rack-protection-4.1.1.gem
|
||||
SOURCES/rack-session-2.1.1.gem
|
||||
SOURCES/rack-test-2.2.0.gem
|
||||
SOURCES/rackup-2.2.1.gem
|
||||
SOURCES/ruby2_keywords-0.0.5.gem
|
||||
SOURCES/sinatra-2.2.4.gem
|
||||
SOURCES/tilt-2.3.0.gem
|
||||
SOURCES/tornado-6.1.0.pcs.2.tar.gz
|
||||
SOURCES/sinatra-4.1.1.gem
|
||||
SOURCES/tilt-2.6.0.gem
|
||||
|
||||
@ -1,22 +1,22 @@
|
||||
b15d48d01ccd5a2a481e3a0c66928eed4bd98b8f SOURCES/HAM-logo.png
|
||||
0ef72a288913e220695ad62718aeb75171924028 SOURCES/backports-3.24.1.gem
|
||||
07b26abbf7ff0dcba5c7f9e814ff7eebafefb058 SOURCES/dacite-1.8.1.tar.gz
|
||||
8b7598273d2ae6dad2b88466aefac55071a41926 SOURCES/dataclasses-0.8.tar.gz
|
||||
5a346174c2d09489759fe47f73d7e072753a127c SOURCES/backports-3.25.1.gem
|
||||
ea3a591bdfa93655d8eec9d7bdd7fb87ecb5616a SOURCES/base64-0.2.0.gem
|
||||
963b12b359251f41998eebe6f6adfec92fe6f49f SOURCES/childprocess-5.1.0.gem
|
||||
01690d9883c149890e04dce4db43ec305959aa39 SOURCES/dacite-1.9.2.tar.gz
|
||||
5b56a68268708c474bef04550639ded3add5e946 SOURCES/ethon-0.16.0.gem
|
||||
10e4cf0e11ef4581ec4ad5fe2cdf3c78b6077d39 SOURCES/ffi-1.16.3.gem
|
||||
6d78f730b7f3b25fb3f93684fe1364acf58bce6b SOURCES/json-2.6.3.gem
|
||||
f5f804366823c1126791dfefd98dd0539563785c SOURCES/mustermann-2.0.2.gem
|
||||
2f65d371f5f37460ad74afcedcb97d2b41a46806 SOURCES/nio4r-2.5.9.gem
|
||||
41a7fe9f8e3e02da5ae76c821b89c5b376a97746 SOURCES/open4-1.3.4-1.gem
|
||||
b3cd873042b17021355b68f1f7aa313f0c1f3fee SOURCES/pcs-0.10.18.tar.gz
|
||||
d6049c4555f3c9d198e6eb1d7e53ce9b68e175ff SOURCES/puma-6.4.0.gem
|
||||
01747fce469e932b701cb7a35d1ef4b3c68eb170 SOURCES/ffi-1.17.2.gem
|
||||
abfa641d98ab2e71bc8102b0aab2f466569668d2 SOURCES/logger-1.7.0.gem
|
||||
249a573022dde130372f0ebbeaf2430f36c2b664 SOURCES/mustermann-3.0.3.gem
|
||||
34b5b1cb50f18d6ec6c5d5cbcb823e7f81f54290 SOURCES/nio4r-2.7.4.gem
|
||||
75ffdc7ecaad560d26ce453cbc6d05ec755dbdcc SOURCES/pcs-0.11.10.tar.gz
|
||||
6ce5e06811ffcaa492fce44383e1576219812096 SOURCES/pcs-web-ui-0.1.23.tar.gz
|
||||
ada7c4bba63a59195aee0780256773ebc2370d2e SOURCES/pcs-web-ui-node-modules-0.1.23.tar.xz
|
||||
0b7e5a3f71fc28d19e4758a44ffe07d20eff1e8e SOURCES/puma-6.6.0.gem
|
||||
3176b2f2b332c2b6bf79fe882e83feecf3d3f011 SOURCES/pyagentx-0.4.pcs.2.tar.gz
|
||||
c2ba10c775b7a52a4b57cac4d4110a0c0f812a82 SOURCES/python-dateutil-2.8.2.tar.gz
|
||||
4c52ad6f798e78d4a1800257ef0d7fc5ac254712 SOURCES/rack-2.2.20.gem
|
||||
5347315a7283f0b04443e924ed4eaa17807432c8 SOURCES/rack-protection-2.2.4.gem
|
||||
ae09ea83748b55875edc3708fffba90db180cb8e SOURCES/rack-test-2.1.0.gem
|
||||
966b1564a77719483eb61068ed1dfb638e5e8eb0 SOURCES/rexml-3.4.1.gem
|
||||
85933f70100a1c7a2b226aec518dce8e4fe0c6d6 SOURCES/rack-3.1.16.gem
|
||||
2d54ab33eeefdca80b76fc3b749add669182877d SOURCES/rack-protection-4.1.1.gem
|
||||
654168c0755ffe10443dd066276d4661bafdb2a4 SOURCES/rack-session-2.1.1.gem
|
||||
922c597f0503f97dc3a058fe997590b108bc429a SOURCES/rack-test-2.2.0.gem
|
||||
efa414fe946ccc1f70e64337d206e98807baa717 SOURCES/rackup-2.2.1.gem
|
||||
d017b9e4d1978e0b3ccc3e2a31493809e4693cd3 SOURCES/ruby2_keywords-0.0.5.gem
|
||||
fa6a6c98f885e93f54c23dd0454cae906e82c31b SOURCES/sinatra-2.2.4.gem
|
||||
4a38a9a55887b2882182a2c5771e592efe514e5e SOURCES/tilt-2.3.0.gem
|
||||
3e0fc1e17c45a8e25bdd6ade8dbbc522f64f2ae1 SOURCES/tornado-6.1.0.pcs.2.tar.gz
|
||||
805ac713697fa096402b55497aa72f0e81be4a4c SOURCES/sinatra-4.1.1.gem
|
||||
a646616f117285087d4a8df99d53cf8b01c5405e SOURCES/tilt-2.6.0.gem
|
||||
|
||||
@ -1,55 +0,0 @@
|
||||
From 957856a556f5ed92129ce602538c3df3aebce7a3 Mon Sep 17 00:00:00 2001
|
||||
From: Ivan Devat <idevat@redhat.com>
|
||||
Date: Tue, 5 Dec 2023 15:18:35 +0100
|
||||
Subject: [PATCH 2/2] disable alternative webui routes
|
||||
|
||||
This commit is intended to be downstream only.
|
||||
|
||||
The new web ui was part of rhel8 as a technical preview. But new web ui
|
||||
is now the main in rhel9 and there is no need to keep it in rhel8.
|
||||
To prevent unnecessary maintenance burden it is disabled now.
|
||||
No handler code is removed, just routing disabled.
|
||||
---
|
||||
pcs/daemon/run.py | 26 ++++++++++++++++----------
|
||||
1 file changed, 16 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/pcs/daemon/run.py b/pcs/daemon/run.py
|
||||
index 7fdeda2a..0a6b1b21 100644
|
||||
--- a/pcs/daemon/run.py
|
||||
+++ b/pcs/daemon/run.py
|
||||
@@ -81,16 +81,22 @@ def configure_app(
|
||||
routes.extend(
|
||||
# old web ui by default
|
||||
[(r"/", RedirectHandler, dict(url="/manage"))]
|
||||
- + [(r"/ui", RedirectHandler, dict(url="/ui/"))]
|
||||
- + ui.get_routes(
|
||||
- url_prefix="/ui/",
|
||||
- app_dir=os.path.join(public_dir, "ui"),
|
||||
- fallback_page_path=os.path.join(
|
||||
- public_dir,
|
||||
- "ui_instructions.html",
|
||||
- ),
|
||||
- session_storage=session_storage,
|
||||
- )
|
||||
+ # The following disabled routes was for the new web ui. The new
|
||||
+ # web ui was here as a technical preview. But new web ui is now
|
||||
+ # the main in rhel9 and there is no need to keep it in rhel8.
|
||||
+ # To prevent unnecessary maintenance burden it is disabled now.
|
||||
+ # No handler code is removed, just routing disabled.
|
||||
+ #
|
||||
+ # + [(r"/ui", RedirectHandler, dict(url="/ui/"))]
|
||||
+ # + ui.get_routes(
|
||||
+ # url_prefix="/ui/",
|
||||
+ # app_dir=os.path.join(public_dir, "ui"),
|
||||
+ # fallback_page_path=os.path.join(
|
||||
+ # public_dir,
|
||||
+ # "ui_instructions.html",
|
||||
+ # ),
|
||||
+ # session_storage=session_storage,
|
||||
+ # )
|
||||
+ sinatra_ui.get_routes(
|
||||
session_storage, ruby_pcsd_wrapper, public_dir
|
||||
)
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -1,52 +0,0 @@
|
||||
From 6142961fe0e39bdbba0d70f792fc27fb2bc096ba Mon Sep 17 00:00:00 2001
|
||||
From: Ivan Devat <idevat@redhat.com>
|
||||
Date: Thu, 7 Mar 2024 16:51:13 +0100
|
||||
Subject: [PATCH] stop sending http headers to ruby part of pcsd
|
||||
|
||||
---
|
||||
pcs/daemon/ruby_pcsd.py | 23 ++++++++++++++++++++++-
|
||||
1 file changed, 22 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/pcs/daemon/ruby_pcsd.py b/pcs/daemon/ruby_pcsd.py
|
||||
index 4b3b0ea1..e07e17cc 100644
|
||||
--- a/pcs/daemon/ruby_pcsd.py
|
||||
+++ b/pcs/daemon/ruby_pcsd.py
|
||||
@@ -87,13 +87,34 @@ class RubyDaemonRequest(
|
||||
http_request: HTTPServerRequest = None,
|
||||
payload=None,
|
||||
):
|
||||
- headers = http_request.headers if http_request else HTTPHeaders()
|
||||
+ # Headers from request are not propagated to ruby part. Ruby part doesn't
|
||||
+ # work with standard headers in any special way. So, we send only path,
|
||||
+ # method, query, body and special headers for communication between
|
||||
+ # python part and ruby part. Tornado then adds necessary default
|
||||
+ # headers. The motivation here is to prevent processing potentially
|
||||
+ # maliciously crafted headers by rack.
|
||||
+ headers = HTTPHeaders()
|
||||
headers.add("X-Pcsd-Type", request_type)
|
||||
if payload:
|
||||
headers.add(
|
||||
"X-Pcsd-Payload",
|
||||
b64encode(json.dumps(payload).encode()).decode(),
|
||||
)
|
||||
+ if http_request:
|
||||
+ for key, val in http_request.headers.get_all():
|
||||
+ # From webui, POST request can come with either
|
||||
+ # application/x-www-form-urlencoded or application/json content
|
||||
+ # type. When we remove original HTTP headers, content type is
|
||||
+ # added by tornado. But in the case of original application/json,
|
||||
+ # tornado puts application/x-www-form-urlencoded there. To fix
|
||||
+ # this let's keep the original header here in this case.
|
||||
+ #
|
||||
+ # The token, CIB_user and CIB_user_groups are transferred by the
|
||||
+ # "Cookie" header and these information are evaluated in ruby.
|
||||
+ if (
|
||||
+ key.lower() == "content-type" and val == "application/json"
|
||||
+ ) or key.lower() == "cookie":
|
||||
+ headers.add(key, val)
|
||||
return super(RubyDaemonRequest, cls).__new__(
|
||||
cls,
|
||||
request_type,
|
||||
--
|
||||
2.47.0
|
||||
|
||||
@ -1,45 +0,0 @@
|
||||
From 0ad47ec40b7a9a2cb6bdbdf11e1e5b3c59f49b8b Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Lisik <mlisik@redhat.com>
|
||||
Date: Tue, 20 May 2025 16:34:18 +0200
|
||||
Subject: [PATCH] support for query limits in rack
|
||||
|
||||
---
|
||||
pcsd/conf/pcsd | 6 ++++++
|
||||
pcsd/pcsd.rb | 5 +++++
|
||||
2 files changed, 11 insertions(+)
|
||||
|
||||
diff --git a/pcsd/conf/pcsd b/pcsd/conf/pcsd
|
||||
index 98df4744..65a9c9a9 100644
|
||||
--- a/pcsd/conf/pcsd
|
||||
+++ b/pcsd/conf/pcsd
|
||||
@@ -45,5 +45,11 @@ PCSD_SESSION_LIFETIME=3600
|
||||
# is 50 (even if set lower).
|
||||
PCSD_RESTART_AFTER_REQUESTS=200
|
||||
|
||||
+# These environment variables set the maximum query string bytesize and the
|
||||
+# maximum number of query parameters that pcsd will attempt to parse.
|
||||
+# See CVE-2025-46727 for details.
|
||||
+#RACK_QUERY_PARSER_BYTESIZE_LIMIT=4194304
|
||||
+#RACK_QUERY_PARSER_PARAMS_LIMIT=4096
|
||||
+
|
||||
# Do not change
|
||||
RACK_ENV=production
|
||||
diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb
|
||||
index 11698f54..a2634e4e 100644
|
||||
--- a/pcsd/pcsd.rb
|
||||
+++ b/pcsd/pcsd.rb
|
||||
@@ -90,6 +90,11 @@ configure do
|
||||
CAPABILITIES_PCSD = capabilities_pcsd.freeze
|
||||
end
|
||||
|
||||
+error Rack::QueryParser::QueryLimitError do
|
||||
+ $logger.warn(env['sinatra.error'].message)
|
||||
+ return 400, env['sinatra.error'].message
|
||||
+end
|
||||
+
|
||||
def run_cfgsync
|
||||
node_connected = true
|
||||
if Cfgsync::ConfigSyncControl.sync_thread_allowed?()
|
||||
--
|
||||
2.49.0
|
||||
|
||||
@ -1,53 +1,38 @@
|
||||
From 854efcf148c82e5a5e4f0afd71cc3333ea4a8ce4 Mon Sep 17 00:00:00 2001
|
||||
From cfb2014ad5b360c51d89ea318f0f9ddb2825b4a3 Mon Sep 17 00:00:00 2001
|
||||
From: Ivan Devat <idevat@redhat.com>
|
||||
Date: Tue, 20 Nov 2018 15:03:56 +0100
|
||||
Subject: [PATCH 1/2] do not support cluster setup with udp(u) transport
|
||||
Subject: [PATCH] do not support cluster setup with udp(u) transport in RHEL9
|
||||
|
||||
---
|
||||
pcs/pcs.8.in | 2 ++
|
||||
pcs/usage.py | 1 +
|
||||
pcsd/public/css/style.css | 3 +++
|
||||
3 files changed, 6 insertions(+)
|
||||
pcs/pcs.8.in | 2 ++
|
||||
pcs/usage.py | 1 +
|
||||
2 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/pcs/pcs.8.in b/pcs/pcs.8.in
|
||||
index d504e8b4..93202d05 100644
|
||||
index 14c1674a..ee71bb03 100644
|
||||
--- a/pcs/pcs.8.in
|
||||
+++ b/pcs/pcs.8.in
|
||||
@@ -438,6 +438,8 @@ By default, encryption is enabled with cipher=aes256 and hash=sha256. To disable
|
||||
@@ -479,6 +479,8 @@ By default, encryption is enabled with cipher=aes256 and hash=sha256. To disable
|
||||
|
||||
Transports udp and udpu:
|
||||
.br
|
||||
+WARNING: These transports are not supported in RHEL 8.
|
||||
+WARNING: These transports are not supported in RHEL 9.
|
||||
+.br
|
||||
These transports are limited to one address per node. They do not support traffic encryption nor compression.
|
||||
.br
|
||||
Transport options are: ip_version, netmtu
|
||||
diff --git a/pcs/usage.py b/pcs/usage.py
|
||||
index f4b84202..ee10370a 100644
|
||||
index 102deceb..4d63192d 100644
|
||||
--- a/pcs/usage.py
|
||||
+++ b/pcs/usage.py
|
||||
@@ -1038,6 +1038,7 @@ Commands:
|
||||
@@ -1498,6 +1498,7 @@ Commands:
|
||||
hash=sha256. To disable encryption, set cipher=none and hash=none.
|
||||
|
||||
Transports udp and udpu:
|
||||
+ WARNING: These transports are not supported in RHEL 8.
|
||||
+ WARNING: These transports are not supported in RHEL 9.
|
||||
These transports are limited to one address per node. They do not
|
||||
support traffic encryption nor compression.
|
||||
Transport options are:
|
||||
diff --git a/pcsd/public/css/style.css b/pcsd/public/css/style.css
|
||||
index 2f26e831..a7702ac4 100644
|
||||
--- a/pcsd/public/css/style.css
|
||||
+++ b/pcsd/public/css/style.css
|
||||
@@ -949,6 +949,9 @@ table.args-table td.reg {
|
||||
width: 6ch;
|
||||
text-align: right;
|
||||
}
|
||||
+#csetup-transport .transport-types {
|
||||
+ display: none;
|
||||
+}
|
||||
#csetup-transport-options.udp .knet-only,
|
||||
#csetup-transport-options.knet .without-knet
|
||||
{
|
||||
--
|
||||
2.43.0
|
||||
2.50.0
|
||||
|
||||
|
||||
1041
SPECS/pcs.spec
1041
SPECS/pcs.spec
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user