1202510 – Phusion Passenger Displays Environment Variables

Bug 1202510 - Phusion Passenger Displays Environment Variables

Summary: Phusion Passenger Displays Environment Variables

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	ImageStreams
Sub Component:
Version:	2.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Jason DeTiberus
QA Contact:	libra bugs
Docs Contact:
URL:
Whiteboard:	Phusion Passenger
Depends On:	1191517
Blocks:
TreeView+	depends on / blocked

Reported:	2015-03-16 18:55 UTC by Brenton Leanhardt
Modified:	2015-04-06 17:06 UTC (History)
CC List:	12 users (show)
Fixed In Version:	openshift-origin-cartridge-ruby-1.30.5.1-1.el6op
Doc Type:	Bug Fix
Doc Text:	When using the Ruby cartridge, environment variables and their values were displayed on error pages to users when Phusion Passenger failed, containing potentially sensitive information. These pages are known as "friendly error pages", and by default in Passenger are not supposed to be revealed when the Rails environment is set to "staging" or "production". However, even though the cartridge default was set to "production", these pages still appeared. This bug fix updates the Ruby cartridge to include additional logic to ensure that the friendly error pages are disabled by default, unless the Rails environment has been set specifically to "development". After applying this update, a cartridge upgrade is required.
Clone Of:	1191517
Environment:
Last Closed:	2015-04-06 17:06:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0779	0	normal	SHIPPED_LIVE	Red Hat OpenShift Enterprise 2.2.5 bug fix and enhancement update	2015-04-06 21:05:45 UTC

Description Brenton Leanhardt 2015-03-16 18:55:39 UTC

+++ This bug was initially created as a clone of Bug #1191517 +++

When Phusion Passenger fails, it displays environment variables to the user. This ticket is based on this thread: http://stackoverflow.com/questions/27379199/openshift-passenger-shows-env-variables-on-fail

Anything you can do to get passenger to fail will reproduce the issue. These are the steps that I did.

Steps to Reproduce:
1. Migrate a rails app on a Ruby1.9 cartridge to a Ruby 2.0 cartridge where rack version is 1.4.5.

Actual results:

Phusion Passenger fails and shows the user the environment variables & values.

Expected results:

Display a "Something Went Wrong" message to the user and write the error to the log.

Additional info:

This is a scary bug as people can store very sensitive info in environment variables such as secret api keys.

--- Additional comment from Maciej Szulik on 2015-02-13 05:42:50 EST ---

It appears to be a bug in Phussion Passenger we're using, since docs [1] specifically say that PassengerAppEnv set to production, which we do by default, should lead to showing just simple 'Something Went Wrong' error page. To make it working again I've added conditional turning those pages on/off with this PR [2].
This is done for all our ruby carts. 

[1] https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerFriendlyErrorPages
[2] https://github.com/openshift/origin-server/pull/6072

--- Additional comment from openshift-github-bot on 2015-02-13 11:08:35 EST ---

Commits pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/f8704605fba212b3951e9322fb4599d1c57bf321
Bug 1191517 - Passenger is not hiding ErrorPages even when production is
specified. Added additional logic to force hiding ErrorPages when not in
development.

https://github.com/openshift/origin-server/commit/21780f8f48567aa432ab76cee78005af0cf1ff1a
Merge pull request #6072 from soltysh/bug1191517

Merged by openshift-bot

--- Additional comment from Hou Jianwei on 2015-02-15 21:50:43 EST ---

@Steve, could you please provide information on how you made passenger fail in your case? Thank you.

--- Additional comment from Maciej Szulik on 2015-02-16 05:00:50 EST ---

I usually added something along this in config.ru:

map '/error' do                                                               
  raise Error.new
end

That usually was enough to get Phussion error.

--- Additional comment from Hou Jianwei on 2015-02-16 21:20:54 EST ---

Verified on devenv_5433

1. Create a rails app with the rails-example quickstart
rhc create-app rails mysql-5.1 --from-code https://github.com/openshift/rails-example.git
2. Set RAILS_ENV=development
rhc env set RAILS_ENV=development -a rails
3. Add something to the app to get Phussion error according to comment 4
Add following to config.ru, then commit and push updates.
```
map '/error' do                                                               
  raise Error.new
end
```
4. Access $app_url/error, in the page Phusion Passenger listed all the errors
5. Set RAILS_ENV=production, then restart the app
rhc env set RAILS_ENV=production -a rails
rhc app-restart -a rails
6. Access $app_url/error, the page shows 'Internal Server Error, the Phusion Passenger is not displayed.

--- Additional comment from Steve Arnold on 2015-02-24 10:34:56 EST ---

(In reply to Hou Jianwei from comment #3)
> @Steve, could you please provide information on how you made passenger fail
> in your case? Thank you.

I had a rails 3 app on ruby 1.9 with rack version 1.4.5. I took a snapshot and then tried to restore it to a ruby 2.0 cartridge. It failed with some type of rack version error. I don't recall the exact text. Please let me know if you have further questions.

Comment 4 Gaoyun Pei 2015-03-17 05:38:43 UTC

Verify this bug with openshift-origin-cartridge-ruby-1.30.5.1-1.el6op

1. Create a rails app with the rails-example quickstart
rhc create-app rails2 ruby-2.0  mysql-5.1 --from-code https://github.com/openshift/rails-example.git

2. Add following to config.ru, then commit and push updates.
map '/error' do                                                               
  raise Error.new
end

3. Access $app_url/error, got an error page which said "We're sorry, but something went wrong (500)"

4. Set RAILS_ENV=development and restart the app. 
rhc env set RAILS_ENV=development -a rails2
   Access $app_url/error. It returns all the errors and environment variables.

5. Set RAILS_ENV=production and restart the app. 
rhc env set RAILS_ENV=production -a rails2
   Access $app_url/error. It returns an error page which said "We're sorry, but something went wrong."

Comment 6 errata-xmlrpc 2015-04-06 17:06:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0779.html

Note You need to log in before you can comment on or make changes to this bug.