From 17fb4050650da952858fcade902d055c09c66903 Mon Sep 17 00:00:00 2001
From: Maksim Malchuk <maksim.malchuk@gmail.com>
Date: Thu, 23 Mar 2023 16:49:45 +0300
Subject: [PATCH] Add LimitRequestBody configuration for Horizon

Since CVE-2022-29404 is fixed [1,2] the default value for the
LimitRequestBody directive in the Apache HTTP Server has been changed
from 0 (unlimited) to 1 GiB. This limits the size of images (for
example) uploaded in Horizon. This change add the ability to
configure the limit.

1. https://access.redhat.com/articles/6975397
2. https://ubuntu.com/security/CVE-2022-29404

Closes-Bug: #2012588
Change-Id: I4cd9dd088cbcf38ff6f8d188ebcc56be7d9ea1c9
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
(cherry picked from commit d907790fffaf392f40ac5e6d824e72995c1f612c)
---
 ansible/roles/horizon/templates/horizon.conf.j2          | 3 +++
 .../add-horizon-limitrequestbody-4f79433fa2cf1f6d.yaml   | 9 +++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 releasenotes/notes/add-horizon-limitrequestbody-4f79433fa2cf1f6d.yaml

diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2
index e526f609f5..b54591e563 100644
--- a/ansible/roles/horizon/templates/horizon.conf.j2
+++ b/ansible/roles/horizon/templates/horizon.conf.j2
@@ -48,6 +48,9 @@ TraceEnable off
     SSLCertificateFile /etc/horizon/certs/horizon-cert.pem
     SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem
 {% endif %}
+{% if horizon_httpd_limitrequestbody is defined %}
+    LimitRequestBody {{ horizon_httpd_limitrequestbody }}
+{% endif %}
 </VirtualHost>
 
 <IfModule mod_deflate.c>
diff --git a/releasenotes/notes/add-horizon-limitrequestbody-4f79433fa2cf1f6d.yaml b/releasenotes/notes/add-horizon-limitrequestbody-4f79433fa2cf1f6d.yaml
new file mode 100644
index 0000000000..7b93905f15
--- /dev/null
+++ b/releasenotes/notes/add-horizon-limitrequestbody-4f79433fa2cf1f6d.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Since CVE-2022-29404 is fixed the default value for the LimitRequestBody
+    directive in the Apache HTTP Server has been changed from 0 (unlimited) to
+    1073741824 (1 GiB). This limits the size of images (for example) uploaded
+    in Horizon. Now this limit can be configured via
+    ``horizon_httpd_limitrequestbody``.
+    `LP#2012588 <https://bugs.launchpad.net/kolla-ansible/+bug/2012588>`__