7 changed files with 619 additions and 686 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,22 +1,22 @@
-SOURCES/HAM-logo.png
+SOURCES/backports-3.25.2.gem
-SOURCES/backports-3.24.1.gem
+SOURCES/base64-0.2.0.gem
-SOURCES/dacite-1.8.1.tar.gz
+SOURCES/childprocess-5.1.0.gem
-SOURCES/dataclasses-0.8.tar.gz
+SOURCES/dacite-1.9.2.tar.gz
-SOURCES/ethon-0.16.0.gem
+SOURCES/ethon-0.18.0.gem
-SOURCES/ffi-1.16.3.gem
+SOURCES/ffi-1.17.2.gem
-SOURCES/json-2.6.3.gem
+SOURCES/logger-1.7.0.gem
-SOURCES/mustermann-2.0.2.gem
+SOURCES/mustermann-3.0.4.gem
-SOURCES/nio4r-2.5.9.gem
+SOURCES/nio4r-2.7.5.gem
-SOURCES/open4-1.3.4-1.gem
+SOURCES/pcs-0.11.11.tar.gz
-SOURCES/pcs-0.10.18.tar.gz
+SOURCES/pcs-web-ui-0.1.24.2.tar.gz
-SOURCES/puma-6.4.0.gem
+SOURCES/pcs-web-ui-node-modules-0.1.24.2.tar.xz
 SOURCES/puma-7.1.0.gem
 SOURCES/pyagentx-0.4.pcs.2.tar.gz
-SOURCES/python-dateutil-2.8.2.tar.gz
+SOURCES/rack-3.2.4.gem
-SOURCES/rack-2.2.20.gem
+SOURCES/rack-protection-4.2.1.gem
-SOURCES/rack-protection-2.2.4.gem
+SOURCES/rack-session-2.1.1.gem
-SOURCES/rack-test-2.1.0.gem
+SOURCES/rack-test-2.2.0.gem
-SOURCES/rexml-3.4.1.gem
+SOURCES/rackup-2.2.1.gem
 SOURCES/ruby2_keywords-0.0.5.gem
-SOURCES/sinatra-2.2.4.gem
+SOURCES/sinatra-4.2.1.gem
-SOURCES/tilt-2.3.0.gem
+SOURCES/tilt-2.6.1.gem
 SOURCES/tornado-v6.1.0.pcs.3.tar.gz
--- a/.pcs.metadata
+++ b/.pcs.metadata
@ -1,22 +1,22 @@
-679a4ce22a33ffd4d704261a17c00cff98d9499a SOURCES/HAM-logo.png
+83f4267dacf83004d47a4cac784b2dea403810f5 SOURCES/backports-3.25.2.gem
-0ef72a288913e220695ad62718aeb75171924028 SOURCES/backports-3.24.1.gem
+ea3a591bdfa93655d8eec9d7bdd7fb87ecb5616a SOURCES/base64-0.2.0.gem
-07b26abbf7ff0dcba5c7f9e814ff7eebafefb058 SOURCES/dacite-1.8.1.tar.gz
+963b12b359251f41998eebe6f6adfec92fe6f49f SOURCES/childprocess-5.1.0.gem
-8b7598273d2ae6dad2b88466aefac55071a41926 SOURCES/dataclasses-0.8.tar.gz
+01690d9883c149890e04dce4db43ec305959aa39 SOURCES/dacite-1.9.2.tar.gz
-5b56a68268708c474bef04550639ded3add5e946 SOURCES/ethon-0.16.0.gem
+ffd8b3e5ac044a1a69791411e3e5cf4b5d4a6768 SOURCES/ethon-0.18.0.gem
-10e4cf0e11ef4581ec4ad5fe2cdf3c78b6077d39 SOURCES/ffi-1.16.3.gem
+01747fce469e932b701cb7a35d1ef4b3c68eb170 SOURCES/ffi-1.17.2.gem
-6d78f730b7f3b25fb3f93684fe1364acf58bce6b SOURCES/json-2.6.3.gem
+abfa641d98ab2e71bc8102b0aab2f466569668d2 SOURCES/logger-1.7.0.gem
-f5f804366823c1126791dfefd98dd0539563785c SOURCES/mustermann-2.0.2.gem
+09083bd58f23a4a9153f440e8f398601b75bae51 SOURCES/mustermann-3.0.4.gem
-2f65d371f5f37460ad74afcedcb97d2b41a46806 SOURCES/nio4r-2.5.9.gem
+34420ab7703c0033e18680504a9f8899322ac908 SOURCES/nio4r-2.7.5.gem
-41a7fe9f8e3e02da5ae76c821b89c5b376a97746 SOURCES/open4-1.3.4-1.gem
+62daec4b5c7b796434021927ed738776ea75575b SOURCES/pcs-0.11.11.tar.gz
-b3cd873042b17021355b68f1f7aa313f0c1f3fee SOURCES/pcs-0.10.18.tar.gz
+bc3ce8d4486b8fc9651047f2194854d40341556f SOURCES/pcs-web-ui-0.1.24.2.tar.gz
-d6049c4555f3c9d198e6eb1d7e53ce9b68e175ff SOURCES/puma-6.4.0.gem
+080b9735cfd8a5e777c1ab6e0219c6b045ba9b59 SOURCES/pcs-web-ui-node-modules-0.1.24.2.tar.xz
 68945ed88cc06ad8fa963abcf302fd49da2154b3 SOURCES/puma-7.1.0.gem
 3176b2f2b332c2b6bf79fe882e83feecf3d3f011 SOURCES/pyagentx-0.4.pcs.2.tar.gz
-c2ba10c775b7a52a4b57cac4d4110a0c0f812a82 SOURCES/python-dateutil-2.8.2.tar.gz
+a2ad0e1c27926296f2489a3f2c1385de313fc639 SOURCES/rack-3.2.4.gem
-4c52ad6f798e78d4a1800257ef0d7fc5ac254712 SOURCES/rack-2.2.20.gem
+1457dded6ffa0f564b33329861dd6b257f07498d SOURCES/rack-protection-4.2.1.gem
-5347315a7283f0b04443e924ed4eaa17807432c8 SOURCES/rack-protection-2.2.4.gem
+654168c0755ffe10443dd066276d4661bafdb2a4 SOURCES/rack-session-2.1.1.gem
-ae09ea83748b55875edc3708fffba90db180cb8e SOURCES/rack-test-2.1.0.gem
+922c597f0503f97dc3a058fe997590b108bc429a SOURCES/rack-test-2.2.0.gem
-966b1564a77719483eb61068ed1dfb638e5e8eb0 SOURCES/rexml-3.4.1.gem
+efa414fe946ccc1f70e64337d206e98807baa717 SOURCES/rackup-2.2.1.gem
 d017b9e4d1978e0b3ccc3e2a31493809e4693cd3 SOURCES/ruby2_keywords-0.0.5.gem
-fa6a6c98f885e93f54c23dd0454cae906e82c31b SOURCES/sinatra-2.2.4.gem
+611999f43e27779278c80acfb5825c7255497988 SOURCES/sinatra-4.2.1.gem
-4a38a9a55887b2882182a2c5771e592efe514e5e SOURCES/tilt-2.3.0.gem
+43d4eaaed4bb0f481afd079cb1dd22be41b24ad4 SOURCES/tilt-2.6.1.gem
 1f4e55c234da0b22aac09cca5a971c4ec2cb500a SOURCES/tornado-v6.1.0.pcs.3.tar.gz
--- a/SOURCES/RHEL-17280-01-disable-new-webui-routes.patch
+++ b/SOURCES/RHEL-17280-01-disable-new-webui-routes.patch
@ -1,55 +0,0 @@
 From 957856a556f5ed92129ce602538c3df3aebce7a3 Mon Sep 17 00:00:00 2001
 From: Ivan Devat <idevat@redhat.com>
 Date: Tue, 5 Dec 2023 15:18:35 +0100
 Subject: [PATCH 2/2] disable alternative webui routes
 This commit is intended to be downstream only.
 The new web ui was part of rhel8 as a technical preview. But new web ui
 is now the main in rhel9 and there is no need to keep it in rhel8.
 To prevent unnecessary maintenance burden it is disabled now.
 No handler code is removed, just routing disabled.
 ---
 pcs/daemon/run.py | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)
 diff --git a/pcs/daemon/run.py b/pcs/daemon/run.py
 index 7fdeda2a..0a6b1b21 100644
 --- a/pcs/daemon/run.py
 +++ b/pcs/daemon/run.py
@@ -81,16 +81,22 @@ def configure_app(
             routes.extend(
                 # old web ui by default
                 [(r"/", RedirectHandler, dict(url="/manage"))]
 -                + [(r"/ui", RedirectHandler, dict(url="/ui/"))]
 -                + ui.get_routes(
 -                    url_prefix="/ui/",
 -                    app_dir=os.path.join(public_dir, "ui"),
 -                    fallback_page_path=os.path.join(
 -                        public_dir,
 -                        "ui_instructions.html",
 -                    ),
 -                    session_storage=session_storage,
 -                )
 +                # The following disabled routes was for the new web ui. The new
 +                # web ui was here as a technical preview. But new web ui is now
 +                # the main in rhel9 and there is no need to keep it in rhel8.
 +                # To prevent unnecessary maintenance burden it is disabled now.
 +                # No handler code is removed, just routing disabled.
 +                #
 +                # + [(r"/ui", RedirectHandler, dict(url="/ui/"))]
 +                # + ui.get_routes(
 +                #     url_prefix="/ui/",
 +                #     app_dir=os.path.join(public_dir, "ui"),
 +                #     fallback_page_path=os.path.join(
 +                #         public_dir,
 +                #         "ui_instructions.html",
 +                #     ),
 +                #     session_storage=session_storage,
 +                # )
                 + sinatra_ui.get_routes(
                     session_storage, ruby_pcsd_wrapper, public_dir
                 )
 -- 
 2.43.0
--- a/SOURCES/RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
+++ b/SOURCES/RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
@ -1,52 +0,0 @@
 From 6142961fe0e39bdbba0d70f792fc27fb2bc096ba Mon Sep 17 00:00:00 2001
 From: Ivan Devat <idevat@redhat.com>
 Date: Thu, 7 Mar 2024 16:51:13 +0100
 Subject: [PATCH] stop sending http headers to ruby part of pcsd
 ---
 pcs/daemon/ruby_pcsd.py | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)
 diff --git a/pcs/daemon/ruby_pcsd.py b/pcs/daemon/ruby_pcsd.py
 index 4b3b0ea1..e07e17cc 100644
 --- a/pcs/daemon/ruby_pcsd.py
 +++ b/pcs/daemon/ruby_pcsd.py
@@ -87,13 +87,34 @@ class RubyDaemonRequest(
         http_request: HTTPServerRequest = None,
         payload=None,
     ):
 -        headers = http_request.headers if http_request else HTTPHeaders()
 +        # Headers from request are not propagated to ruby part. Ruby part doesn't
 +        # work with standard headers in any special way. So, we send only path,
 +        # method, query, body and special headers for communication between
 +        # python part and ruby part. Tornado then adds necessary default
 +        # headers. The motivation here is to prevent processing potentially
 +        # maliciously crafted headers by rack.
 +        headers = HTTPHeaders()
         headers.add("X-Pcsd-Type", request_type)
         if payload:
             headers.add(
                 "X-Pcsd-Payload",
                 b64encode(json.dumps(payload).encode()).decode(),
             )
 +        if http_request:
 +            for key, val in http_request.headers.get_all():
 +                # From webui, POST request can come with either
 +                # application/x-www-form-urlencoded or application/json content
 +                # type. When we remove original HTTP headers, content type is
 +                # added by tornado. But in the case of original application/json,
 +                # tornado puts application/x-www-form-urlencoded there. To fix
 +                # this let's keep the original header here in this case.
 +                #
 +                # The token, CIB_user and CIB_user_groups are transferred by the
 +                # "Cookie" header and these information are evaluated in ruby.
 +                if (
 +                    key.lower() == "content-type" and val == "application/json"
 +                ) or key.lower() == "cookie":
 +                    headers.add(key, val)
         return super(RubyDaemonRequest, cls).__new__(
             cls,
             request_type,
 -- 
 2.47.0
--- a/SOURCES/RHEL-90147-support-for-query-limits-in-rack.patch
+++ b/SOURCES/RHEL-90147-support-for-query-limits-in-rack.patch
@ -1,45 +0,0 @@
 From 0ad47ec40b7a9a2cb6bdbdf11e1e5b3c59f49b8b Mon Sep 17 00:00:00 2001
 From: Miroslav Lisik <mlisik@redhat.com>
 Date: Tue, 20 May 2025 16:34:18 +0200
 Subject: [PATCH] support for query limits in rack
 ---
 pcsd/conf/pcsd | 6 ++++++
 pcsd/pcsd.rb   | 5 +++++
 2 files changed, 11 insertions(+)
 diff --git a/pcsd/conf/pcsd b/pcsd/conf/pcsd
 index 98df4744..65a9c9a9 100644
 --- a/pcsd/conf/pcsd
 +++ b/pcsd/conf/pcsd
@@ -45,5 +45,11 @@ PCSD_SESSION_LIFETIME=3600
 # is 50 (even if set lower).
 PCSD_RESTART_AFTER_REQUESTS=200
 +# These environment variables set the maximum query string bytesize and the
 +# maximum number of query parameters that pcsd will attempt to parse.
 +# See CVE-2025-46727 for details.
 +#RACK_QUERY_PARSER_BYTESIZE_LIMIT=4194304
 +#RACK_QUERY_PARSER_PARAMS_LIMIT=4096
 +
 # Do not change
 RACK_ENV=production
 diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb
 index 11698f54..a2634e4e 100644
 --- a/pcsd/pcsd.rb
 +++ b/pcsd/pcsd.rb
@@ -90,6 +90,11 @@ configure do
   CAPABILITIES_PCSD = capabilities_pcsd.freeze
 end
 +error Rack::QueryParser::QueryLimitError do
 +  $logger.warn(env['sinatra.error'].message)
 +  return 400, env['sinatra.error'].message
 +end
 +
 def run_cfgsync
   node_connected = true
   if Cfgsync::ConfigSyncControl.sync_thread_allowed?()
 -- 
 2.49.0
--- a/SOURCES/do-not-support-cluster-setup-with-udp-u-transport.patch
+++ b/SOURCES/do-not-support-cluster-setup-with-udp-u-transport.patch
@ -1,53 +1,38 @@
-From 854efcf148c82e5a5e4f0afd71cc3333ea4a8ce4 Mon Sep 17 00:00:00 2001
+From 289189cae07bc934efafe0dd3988f2345c6935a6 Mon Sep 17 00:00:00 2001
 From: Ivan Devat <idevat@redhat.com>
 Date: Tue, 20 Nov 2018 15:03:56 +0100
-Subject: [PATCH 1/2] do not support cluster setup with udp(u) transport
+Subject: [PATCH] do not support cluster setup with udp(u) transport in RHEL9
 ---
- pcs/pcs.8.in              | 2 ++
+ pcs/pcs.8.in | 2 ++
- pcs/usage.py              | 1 +
+ pcs/usage.py | 1 +
- pcsd/public/css/style.css | 3 +++
+ 2 files changed, 3 insertions(+)
 3 files changed, 6 insertions(+)
 diff --git a/pcs/pcs.8.in b/pcs/pcs.8.in
-index d504e8b4..93202d05 100644
+index 930d9ec58..2d2b44ff4 100644
 --- a/pcs/pcs.8.in
 +++ b/pcs/pcs.8.in
-@@ -438,6 +438,8 @@ By default, encryption is enabled with cipher=aes256 and hash=sha256. To disable
+@@ -479,6 +479,8 @@ By default, encryption is enabled with cipher=aes256 and hash=sha256. To disable
 Transports udp and udpu:
 .br
-+WARNING: These transports are not supported in RHEL 8.
+WARNING: These transports are not supported in RHEL 9.
 +.br
 These transports are limited to one address per node. They do not support traffic encryption nor compression.
 .br
 Transport options are: ip_version, netmtu
 diff --git a/pcs/usage.py b/pcs/usage.py
-index f4b84202..ee10370a 100644
+index 102deceb1..4d63192d9 100644
 --- a/pcs/usage.py
 +++ b/pcs/usage.py
-@@ -1038,6 +1038,7 @@ Commands:
+@@ -1498,6 +1498,7 @@ Commands:
             hash=sha256. To disable encryption, set cipher=none and hash=none.
         Transports udp and udpu:
-+        WARNING: These transports are not supported in RHEL 8.
+        WARNING: These transports are not supported in RHEL 9.
         These transports are limited to one address per node. They do not
         support traffic encryption nor compression.
         Transport options are:
 diff --git a/pcsd/public/css/style.css b/pcsd/public/css/style.css
 index 2f26e831..a7702ac4 100644
 --- a/pcsd/public/css/style.css
 +++ b/pcsd/public/css/style.css
@@ -949,6 +949,9 @@ table.args-table td.reg {
   width: 6ch;
   text-align: right;
 }
 +#csetup-transport .transport-types {
 +  display: none;
 +}
 #csetup-transport-options.udp .knet-only,
 #csetup-transport-options.knet .without-knet
 {
 -- 
-2.43.0
+2.51.0
--- a/SPECS/pcs.spec
+++ b/SPECS/pcs.spec