2160664 – Some pcs webui responses are missing proper CSP headers

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2160664 - Some pcs webui responses are missing proper CSP headers

Summary: Some pcs webui responses are missing proper CSP headers

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	pcs
Sub Component:
Version:	9.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	9.3
Assignee:	Tomas Jelinek
QA Contact:	cluster-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2160555
TreeView+	depends on / blocked

Reported:	2023-01-13 08:54 UTC by Tomas Jelinek
Modified:	2023-11-07 08:59 UTC (History)
CC List:	10 users (show)
Fixed In Version:	pcs-0.11.5-1.el9
Doc Type:	Enhancement
Doc Text:	Feature: Instruct web browsers to only load resources directly from pcs web UI and no other sources even when an error page is sent to a browser. Reason: This helps guard against cross-site scripting attacks. Result: HTTP header "Content-Security-Policy: frame-ancestors 'self'; default-src 'self'" is sent by pcsd in error HTTP responses instructing web browsers to only load and run resources from pcs web UI and no external sources.
Clone Of:	2160555
Environment:
Last Closed:	2023-11-07 08:23:10 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	2097778	medium	CLOSED	Pcs WebUI - CSP headers do not restrict script source	2023-06-06 06:52:18 UTC
Red Hat Issue Tracker	CLUSTERQE-6628	None	None	None	2023-04-19 22:23:48 UTC
Red Hat Issue Tracker	RHELPLAN-145013	None	None	None	2023-01-13 08:56:49 UTC
Red Hat Product Errata	RHSA-2023:6316	None	None	None	2023-11-07 08:24:03 UTC

Description Tomas Jelinek 2023-01-13 08:54:24 UTC

+++ This bug was initially created as a clone of Bug #2160555 +++

Description of problem:
Response with status code 401 is not showing right content type; technically it would require CSP with a text/html response, but it would not with JSON

Response with status code 404 is showing HTML response with no CSP

Version-Release number of selected component (if applicable):
pcs-0.10.14-5.el8

How reproducible:
Always

Steps to Reproduce:
1. Disable pcs WebUI
2. Access WebUI and receive either a 401 or 404 error page
3. Check headers

Actual results:
Headers lack CSP

Expected results:
CSP to be included even with error pages

Comment 2 Tomas Jelinek 2023-02-22 15:23:57 UTC

Upstream patch: https://github.com/ClusterLabs/pcs/commit/36e476d1a431375dfb53aca560d3a4d50494d001

Test:
1. disable pcs web UI
2. access pcs web UI and receive a 404 page
3. verify that "Content-Security-Policy" HTTP header is set to "frame-ancestors 'self'; default-src 'self'"

Comment 6 Michal Pospisil 2023-05-26 09:27:52 UTC

DevTestResults:

[root@r09-03-a ~]# rpm -q pcs
pcs-0.11.5-1.el9.x86_64

Response headers on requests for index.html and favicon.ico both contain the desired CSP policy:
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Wed, 24 May 2023 16:03:39 GMT
Strict-Transport-Security: max-age=63072000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; default-src 'self'
X-Xss-Protection: 1; mode=block
Cache-Control: no-store, no-cache
Pragma: no-cache
Referrer-Policy: no-referrer
Content-Length: 69

Comment 11 Michal Mazourek 2023-07-17 15:28:50 UTC

BEFORE:
=======

[root@virt-510 ~]# rpm -q pcs
pcs-0.11.4-6.el9.x86_64


## disable web UI

[root@virt-510 ~]# cat /etc/sysconfig/pcsd | grep PCSD_DISABLE_GUI
PCSD_DISABLE_GUI=true

[root@virt-510 ~]# systemctl restart pcsd
[root@virt-510 ~]# echo $?
0


## access web UI

1. open https://<hostname>:2224
> got 404: Not Found
2. check network headers for index and favicon
the header:
HTTP/1.1 404 Not Found
Server: TornadoServer/6.2
Content-Type: text/html; charset=UTF-8
Date: Mon, 17 Jul 2023 15:16:24 GMT
Content-Length: 69

> CSP (Content-Security-Policy) is not present


AFTER:
======

[root@virt-496 ~]# rpm -q pcs
pcs-0.11.6-1.el9.x86_64


## disable web UI

[root@virt-496 ~]# cat /etc/sysconfig/pcsd | grep PCSD_DISABLE_GUI
PCSD_DISABLE_GUI=true

[root@virt-496 ~]# systemctl restart pcsd
[root@virt-496 ~]# echo $?
0


## access web UI

1. open https://<hostname>:2224
> got 404: Not Found
2. check network headers for index and favicon
the header:
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Fri, 14 Jul 2023 14:58:31 GMT
Strict-Transport-Security: max-age=63072000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; default-src 'self'
X-Xss-Protection: 1; mode=block
Cache-Control: no-store, no-cache
Pragma: no-cache
Referrer-Policy: no-referrer
Content-Length: 69
3. open https://<hostname>:2224/remote/capabilities
> got 401: {"notauthorized":"true"}
4. check network header for capabilities
the header:
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=UTF-8
Date: Mon, 17 Jul 2023 15:02:16 GMT
Strict-Transport-Security: max-age=63072000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; default-src 'self'
X-Xss-Protection: 1; mode=block
Cache-Control: no-store, no-cache
Pragma: no-cache
Referrer-Policy: no-referrer
Content-Length: 24

> OK: CSP (Content-Security-Policy) is in place for 404 and 401 with values frame-ancestors 'self'; default-src 'self'


Marking as VERIFIED for pcs-0.11.6-1.el9.

Comment 14 errata-xmlrpc 2023-11-07 08:23:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: pcs security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6316

Note You need to log in before you can comment on or make changes to this bug.