import pcs-0.10.18-2.el8_10.3

SOURCES/RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch

@@ -0,0 +1,52 @@
+From 6142961fe0e39bdbba0d70f792fc27fb2bc096ba Mon Sep 17 00:00:00 2001
+From: Ivan Devat <idevat@redhat.com>
+Date: Thu, 7 Mar 2024 16:51:13 +0100
+Subject: [PATCH] stop sending http headers to ruby part of pcsd
+
+---
+ pcs/daemon/ruby_pcsd.py | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/pcs/daemon/ruby_pcsd.py b/pcs/daemon/ruby_pcsd.py
+index 4b3b0ea1..e07e17cc 100644
+--- a/pcs/daemon/ruby_pcsd.py
++++ b/pcs/daemon/ruby_pcsd.py
+@@ -87,13 +87,34 @@ class RubyDaemonRequest(
+         http_request: HTTPServerRequest = None,
+         payload=None,
+     ):
+-        headers = http_request.headers if http_request else HTTPHeaders()
++        # Headers from request are not propagated to ruby part. Ruby part doesn't
++        # work with standard headers in any special way. So, we send only path,
++        # method, query, body and special headers for communication between
++        # python part and ruby part. Tornado then adds necessary default
++        # headers. The motivation here is to prevent processing potentially
++        # maliciously crafted headers by rack.
++        headers = HTTPHeaders()
+         headers.add("X-Pcsd-Type", request_type)
+         if payload:
+             headers.add(
+                 "X-Pcsd-Payload",
+                 b64encode(json.dumps(payload).encode()).decode(),
+             )
++        if http_request:
++            for key, val in http_request.headers.get_all():
++                # From webui, POST request can come with either
++                # application/x-www-form-urlencoded or application/json content
++                # type. When we remove original HTTP headers, content type is
++                # added by tornado. But in the case of original application/json,
++                # tornado puts application/x-www-form-urlencoded there. To fix
++                # this let's keep the original header here in this case.
++                #
++                # The token, CIB_user and CIB_user_groups are transferred by the
++                # "Cookie" header and these information are evaluated in ruby.
++                if (
++                    key.lower() == "content-type" and val == "application/json"
++                ) or key.lower() == "cookie":
++                    headers.add(key, val)
+         return super(RubyDaemonRequest, cls).__new__(
+             cls,
+             request_type,
+-- 
+2.47.0
+

SPECS/pcs.spec

@@ -1,6 +1,6 @@
 Name: pcs
 Version: 0.10.18
-Release: 2%{?dist}.2
+Release: 2%{?dist}.3
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
 # GPL-2.0-only: pcs
@@ -115,6 +115,7 @@ Source95: https://rubygems.org/downloads/ruby2_keywords-%{version_rubygem_ruby2_
 # Patch1: bzNUMBER-01-name.patch
 Patch1: do-not-support-cluster-setup-with-udp-u-transport.patch
 Patch2: RHEL-17280-01-disable-new-webui-routes.patch
+Patch3: RHEL-65595-stop-sending-http-headers-to-ruby-part-of-pcsd.patch
 
 # git for patches
 BuildRequires: git-core
@@ -304,6 +305,7 @@ update_times_patch(){
 # update_times_patch %%{PATCH1}
 update_times_patch %{PATCH1}
 update_times_patch %{PATCH2}
+update_times_patch %{PATCH3}
 
 # generate .tarball-version if building from an untagged commit, not a released version
 # autogen uses git-version-gen which uses .tarball-version for generating version number
@@ -560,6 +562,10 @@ remove_all_tests
 %license pyagentx_LICENSE.txt
 
 %changelog
+* Wed Dec 4 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2.el8_10.3
+- Prevented any future HTTP header-based attacks on puma/sinatra by removing any headers not recognized by pcsd
+  Resolves: RHEL-65595
+
 * Thu Aug 29 2024 Michal Pospisil <mpospisi@redhat.com> - 0.10.18-2.el8_10.2
 - Updated rubygem rexml
   Resolves: RHEL-52409, RHEL-52788, RHEL-55997