Add LimitRequestBody configuration for Horizon

Since CVE-2022-29404 is fixed [1,2] the default value for the LimitRequestBody directive in the Apache HTTP Server has been changed from 0 (unlimited) to 1 GiB. This limits the size of images (for example) uploaded in Horizon. This change add the ability to configure the limit. 1. https://access.redhat.com/articles/6975397 2. https://ubuntu.com/security/CVE-2022-29404 Closes-Bug: #2012588 Change-Id: I4cd9dd088cbcf38ff6f8d188ebcc56be7d9ea1c9 Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com> (cherry picked from commit d907790fff)
2023-03-23 16:49:45 +03:00 · 2023-03-23 16:49:45 +03:00 · 17fb405065
parent fe49ce32c6
commit 17fb405065
2 changed files with 12 additions and 0 deletions
--- a/ansible/roles/horizon/templates/horizon.conf.j2
+++ b/ansible/roles/horizon/templates/horizon.conf.j2
@ -48,6 +48,9 @@ TraceEnable off
    SSLCertificateFile /etc/horizon/certs/horizon-cert.pem
    SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem
 {% endif %}
+{% if horizon_httpd_limitrequestbody is defined %}
+    LimitRequestBody {{ horizon_httpd_limitrequestbody }}
+{% endif %}
 </VirtualHost>

 <IfModule mod_deflate.c>
--- a/releasenotes/notes/add-horizon-limitrequestbody-4f79433fa2cf1f6d.yaml
+++ b/releasenotes/notes/add-horizon-limitrequestbody-4f79433fa2cf1f6d.yaml
@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Since CVE-2022-29404 is fixed the default value for the LimitRequestBody
+    directive in the Apache HTTP Server has been changed from 0 (unlimited) to
+    1073741824 (1 GiB). This limits the size of images (for example) uploaded
+    in Horizon. Now this limit can be configured via
+    ``horizon_httpd_limitrequestbody``.
+    `LP#2012588 <https://bugs.launchpad.net/kolla-ansible/+bug/2012588>`__