RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2160555 - Some pcs webui responses are missing proper CSP headers
Summary: Some pcs webui responses are missing proper CSP headers
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pcs
Version: 8.7
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: 8.9
Assignee: Tomas Jelinek
QA Contact: cluster-qe
URL:
Whiteboard:
Depends On: 2160664
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-01-12 20:22 UTC by Tom Sorensen
Modified: 2023-11-14 15:53 UTC (History)
7 users (show)

Fixed In Version: pcs-0.10.16-1.el8
Doc Type: Enhancement
Doc Text:
Feature: Instruct web browsers to only load resources directly from pcs web UI and no other sources even when an error page is sent to a browser. Reason: This helps guard against cross-site scripting attacks. Result: HTTP header "Content-Security-Policy: frame-ancestors 'self'; default-src 'self'" is sent by pcsd in error HTTP responses instructing web browsers to only load and run resources from pcs web UI and no external sources.
Clone Of:
: 2160664 (view as bug list)
Environment:
Last Closed: 2023-11-14 15:22:35 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 2097778 0 medium CLOSED Pcs WebUI - CSP headers do not restrict script source 2023-06-06 06:52:18 UTC
Red Hat Issue Tracker CLUSTERQE-6611 0 None None None 2023-04-19 21:53:02 UTC
Red Hat Issue Tracker RHELPLAN-144988 0 None None None 2023-01-12 20:24:52 UTC
Red Hat Product Errata RHBA-2023:6903 0 None None None 2023-11-14 15:23:35 UTC

Description Tom Sorensen 2023-01-12 20:22:41 UTC 
Description of problem:
Response with status code 401 is not showing right content type; techically it would require CSP with a text/html response, but it would not with JSON

Response with status code 404 is showing HTML response with no CSP

Version-Release number of selected component (if applicable):
pcs-0.10.14-5.el8

How reproducible:
Always

Steps to Reproduce:
1. Disable pcs WebUI
2. Access WebUI and receive either a 401 or 404 error page
3. Check headers

Actual results:
Headers lack CSP

Expected results:
CSP to be included even with error pages

Additional info:
Comment 2 Tomas Jelinek 2023-01-13 08:51:17 UTC 
To summarize why we cannot fix CSP in RHEL 8 globally:

Setting CSP to "script-src 'self'", as asked, is not possible with the RHEL 8 pcs web UI for two reasons.
1) Such setting prevents inline scripts to be executed. To fix this, we would need to move all inline scripts to an external .js file.
2) Such setting prevents rendering handlebars templates. They are compiled on-the-fly and the compilation depends on calling "Function()", which is blocked by CSP. The only way to resolve this is to move to precompiled handlebars templates, which would require significant time and resources.

We've been working on a completely new web UI, to fix this and other issues, for a few years. The new web UI is released in RHEL 9 pcs packages as the only web UI. In RHEL 8, it is released as a tech preview alongside the old one.



Regarding the specific issue reported in this BZ:
It is possible to fix this in RHEL 8. RHEL 9 is also affected, I'm going to create a BZ for that.
Comment 4 Tomas Jelinek 2023-02-22 15:20:20 UTC 
Upstream patch: https://github.com/ClusterLabs/pcs/commit/2f3cd689e38fec824644bbeae3bad2e5accecb5b

Test:
1. disable pcs web UI
2. access pcs web UI and receive a 404 page
3. access /remote/capabilities URL and receive a 401 page
4. verify that "Content-Security-Policy" HTTP header is set to "frame-ancestors 'self'; default-src 'self'" in both cases
Comment 5 Michal Pospisil 2023-05-29 10:09:46 UTC 
DevTestResults:

[root@r08-09-a ~]# rpm -q pcs
pcs-0.10.16-1.el8.x86_64

Response headers on requests for index.html and favicon.ico both contain the desired CSP policy:
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Fri, 26 May 2023 15:30:04 GMT
Strict-Transport-Security: max-age=63072000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; default-src 'self'
X-Xss-Protection: 1; mode=block
Cache-Control: no-store, no-cache
Pragma: no-cache
Referrer-Policy: no-referrer
Content-Length: 69
Comment 9 Michal Mazourek 2023-07-17 15:35:08 UTC 
The same test as in bz2160664 comment 11 was used to verify this bz. Marking as VERIFIED for pcs-0.10.17-2.el8.
Comment 12 errata-xmlrpc 2023-11-14 15:22:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pcs bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6903
Note You need to log in before you can comment on or make changes to this bug.