-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3.1.9 seems to break the Shell app due to CSRF token issue #3894
Comments
I can't replicate. Note that it's the javascript making this network call with a CSRF token, not the original URL you put in your browser. Here's an image of my console tab for the same. You'll note that the first request is what you enter in the URL (and the response is an html page), then later the browser makes another request to basically the same URL only with |
Didn't mean to close the ticket, only comment on it. Can you show a similar network tab? I double checked the diff between the two versions this morning and can't find/see how the ping pong change changed/broke functionality to that point. I'd also ask if you can try 3.1.9 with a private window or after clearing your cache to see if that's any different. |
Given the changelog, I'd pin this on updates we had to make to our lua code to support the latest version of httpd (or apache2 as the case may be). What apache2/httpd version are you using? |
Unfortunately I can't replicate on Rocky 8.8. Even 8.8 has I'll also have to look into the difference between those 56 and 65 releases. |
Yes, I have 2.4.37-56. I'll also try to find something different to test on. |
Is it possible to update httpd? I'm unable to get an OS with that version. Everything on appstream has been updated. I assume you're on some EL/8.8 variant? |
@johrstrom You can enable the Vault for Rocky to get older packages, ie: https://dl.rockylinux.org/vault/rocky/8.8/AppStream/x86_64/os/Packages/h/. Has https://dl.rockylinux.org/vault/rocky/8.8/AppStream/x86_64/os/Packages/h/httpd-2.4.37-56.module%2Bel8.8.0%2B1456%2Bd0a01c5e.7.x86_64.rpm. You can inject this URL into something like |
Thanks, I'll take a look at it. |
OK I can replicate if I downgrade back to |
But that brings another question - If I have to install the version from the vault should we even support it? Is there a way to safely require |
Latest versions for EL8: Rocky 8 - 2.4.37-65 The checksum and other parts of the appstream release do differ but I think for RHEL8 (and 9 most likely) we could require a minimum release based on what works with OnDemand. Where this could run into issues is folks on RHEL 8 can pin to like RHEL 8.8 and if we were to require something from RHEL 8.10, that would break for them but also if that requirement is based on what works for OnDemand, they have no choice but to upgrade. If
|
Surprisingly enough, How can I test pinning the OS to 8.8? |
I found these 2 advisories, so I'm a bit convinced we should just require that https://access.redhat.com/errata/RHSA-2024:5193 |
Sounds like a plan. I'll update to RHEL 8.10. |
You don't need to fully upgrade to 8.10. Just an update to |
We have a mixture of RHEL 8.8 EUS, RHEL 8.10 and RHEL/Rocky 9.4; this would be a good reason to move things off 8.8 EUS anyway :) |
This is done with subscription manager on RHEL systems as RHEL provides minor release repos. The only way to stay on a minor release on Rocky that is not the latest minor release would be to start with 8.8 container then replace all repos with 8.8 Vault URLs. On RHEL you'd do
Which would update the repo URLs in |
I see. Yea then a locked RHEL 8.8 system won't support 3.1.9. Hrrrrm. OK that may just be the best we can do. I can't figure out how to get the apache version in lua without shelling out a |
Ya that sounds not great. The release version only exists inside the RPM metadata, I don't think Apache itself knows its 2.4.x-y it only knows it's 2.4.x. |
I'm not sure if it matters, but I wanted to note that I hit this bug on a Rocky 9.4 host with httpd-2.4.57-8.el9.x86_64. We have a development host also running Rocky 9.4 that updated OnDemand at the same time, but it has httpd-2.4.57-11.el9_4.1.x86_64 and did not exhibit the problem. |
It certainly does matter because that means specifying |
We can have RHEL8 and RHEL9 specific requirements. We already do that for things like NodeJS because of different versions available: My guess is whatever patch RedHat backported, it was applied to 2.4.37 for RHEL8 and 2.4.57 for RHEL9 as RHEL tends to pin their software versions though less so with AppStream |
So we could do
|
I am having this issue, with the following installation: httpd-2.4.37-65.module+el8.10.0+1830+22f0c9e0.x86_64 $ cat /etc/redhat-release App 2203442 output: /var/www/ood/apps/sys/shell/app.js:161 |
From the browser it looks fine: token = window.urlWithToken().match(/csrf=([^&]*)/)[1]; So, potentially, something is preventing the token from being passed back to nodejs or otherwise mangling that URL in such a way that it is not being detected correctly. |
The update to apache should have resolved this... Did you bounce apache after updating to ensure that the new version is running? That's the only thing I can think of. I know for sure this issue is caused by the |
Yes, and I just did a systemctl restart again to be on the safe side. 11:40 sbw@bunya-ondemand:~$ rpm -qa | grep httpd 11:41 sbw@bunya-ondemand:~$ sudo /usr/sbin/httpd -v |
I'm so sorry, but I can't replicate our systems or in a container with Rocky 8. The updates we made (that apparently broke older httpds) were to support higher versions of httpd. So we can't really go back on them/revert them. I'm not really sure what to do because it really should be working for you, I'm just not sure why. You haven't edited those lua files have you? Just trying to cover what else could be the issue. |
Sorry Jeff, I wasnt checking email because I was travelling to SC24. I
don’t think I changed that code but I’ll have a look. Are you here?
…On Tue, 12 Nov 2024 at 09:25, Jeff Ohrstrom ***@***.***> wrote:
I'm so sorry, but I can't replicate our systems or in a container with
Rocky 8. httpd-2.4.37-65 (at least in a container when I test) should
work well for you.
The updates we made (that apparently broke older httpds) were to support
higher versions of httpd. So we can't really go back on them/revert them.
I'm not really sure what to do because it really should be working for you,
I'm just not sure why. You haven't edited those lua files have you? Just
trying to cover what else could be the issue.
—
Reply to this email directly, view it on GitHub
<#3894 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABV4XETBWTSBNCHCPEE3F6D2AIFVPAVCNFSM6AAAAABQNGFKXCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINZQGY3TMNZXG4>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
No issues in delay. I'm not at SC personally, but many people from OSC are there at the OSC booth. |
Is it possible that there is an issue with the gems? We've got multiple packages installed for some reason, instead of just the latest. Should I remove them? 09:18 sbw@bunya-ondemand:/etc/yum.repos.d$ rpm -qa | grep ondemand |
Those duplicate |
Yea I don't think the gems are the issue here. What's the checksum of the httpd binary? Something like |
After updating from 3.1.7 to 3.1.9, the shell app immediately crashes with the message:
Looking at the logs I found
I made it print out
req.url
and it's the bare URL to the shell app without a CSRF token.3.1.7 does not have this issue since downgrading fixes it.
The text was updated successfully, but these errors were encountered: