diff --git a/SOURCES/RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch b/SOURCES/RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch new file mode 100644 index 0000000..ddb17c5 --- /dev/null +++ b/SOURCES/RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch @@ -0,0 +1,52 @@ +From 6142961fe0e39bdbba0d70f792fc27fb2bc096ba Mon Sep 17 00:00:00 2001 +From: Ivan Devat +Date: Thu, 7 Mar 2024 16:51:13 +0100 +Subject: [PATCH] stop sending http headers to ruby part of pcsd + +--- + pcs/daemon/ruby_pcsd.py | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/pcs/daemon/ruby_pcsd.py b/pcs/daemon/ruby_pcsd.py +index 4b3b0ea1..e07e17cc 100644 +--- a/pcs/daemon/ruby_pcsd.py ++++ b/pcs/daemon/ruby_pcsd.py +@@ -87,13 +87,34 @@ class RubyDaemonRequest( + http_request: HTTPServerRequest = None, + payload=None, + ): +- headers = http_request.headers if http_request else HTTPHeaders() ++ # Headers from request are not propagated to ruby part. Ruby part doesn't ++ # work with standard headers in any special way. So, we send only path, ++ # method, query, body and special headers for communication between ++ # python part and ruby part. Tornado then adds necessary default ++ # headers. The motivation here is to prevent processing potentially ++ # maliciously crafted headers by rack. ++ headers = HTTPHeaders() + headers.add("X-Pcsd-Type", request_type) + if payload: + headers.add( + "X-Pcsd-Payload", + b64encode(json.dumps(payload).encode()).decode(), + ) ++ if http_request: ++ for key, val in http_request.headers.get_all(): ++ # From webui, POST request can come with either ++ # application/x-www-form-urlencoded or application/json content ++ # type. When we remove original HTTP headers, content type is ++ # added by tornado. But in the case of original application/json, ++ # tornado puts application/x-www-form-urlencoded there. To fix ++ # this let's keep the original header here in this case. ++ # ++ # The token, CIB_user and CIB_user_groups are transferred by the ++ # "Cookie" header and these information are evaluated in ruby. ++ if ( ++ key.lower() == "content-type" and val == "application/json" ++ ) or key.lower() == "cookie": ++ headers.add(key, val) + return super(RubyDaemonRequest, cls).__new__( + cls, + request_type, +-- +2.47.0 + diff --git a/SPECS/pcs.spec b/SPECS/pcs.spec index 5f71913..d872c2a 100644 --- a/SPECS/pcs.spec +++ b/SPECS/pcs.spec @@ -1,6 +1,6 @@ Name: pcs Version: 0.10.18 -Release: 2%{?dist}.2 +Release: 2%{?dist}.3 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/ # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses # GPL-2.0-only: pcs @@ -115,6 +115,7 @@ Source95: https://rubygems.org/downloads/ruby2_keywords-%{version_rubygem_ruby2_ # Patch1: bzNUMBER-01-name.patch Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch Patch2: RHEL-17280-01-disable-new-webui-routes.patch +Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch # git for patches BuildRequires: git-core @@ -304,6 +305,7 @@ update_times_patch(){ # update_times_patch %%{PATCH1} update_times_patch %{PATCH1} update_times_patch %{PATCH2} +update_times_patch %{PATCH3} # generate .tarball-version if building from an untagged commit, not a released version # autogen uses git-version-gen which uses .tarball-version for generating version number @@ -560,6 +562,10 @@ remove_all_tests %license pyagentx_LICENSE.txt %changelog +* Wed Dec 4 2024 Michal Pospisil - 0.10.18-2.el8_10.3 +- Prevented any future HTTP header-based attacks on puma/sinatra by removing any headers not recognized by pcsd + Resolves: RHEL-65595 + * Thu Aug 29 2024 Michal Pospisil - 0.10.18-2.el8_10.2 - Updated rubygem rexml Resolves: RHEL-52409, RHEL-52788, RHEL-55997