openstack/kolla-ansible
Code Issues Proposed changes

Add LimitRequestBody configuration for Horizon

Browse Source 
Since CVE-2022-29404 is fixed [1,2] the default value for the
LimitRequestBody directive in the Apache HTTP Server has been changed
from 0 (unlimited) to 1 GiB. This limits the size of images (for
example) uploaded in Horizon. This change add the ability to
configure the limit.

1. https://access.redhat.com/articles/6975397
2. https://ubuntu.com/security/CVE-2022-29404

Closes-Bug: #2012588
Change-Id: I4cd9dd088cbcf38ff6f8d188ebcc56be7d9ea1c9
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
This commit is contained in:
Maksim Malchuk 2023-03-23 16:49:45 +03:00
parent 2845861ef9
commit d907790fff
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ansible/roles/horizon/templates/horizon.conf.j2
View File

@ -40,6 +40,9 @@ TraceEnable off
SSLCertificateFile /etc/horizon/certs/horizon-cert.pem SSLCertificateFile /etc/horizon/certs/horizon-cert.pem
SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem
{% endif %} {% endif %}
{% if horizon_httpd_limitrequestbody is defined %}
LimitRequestBody {{ horizon_httpd_limitrequestbody }}
{% endif %}
</VirtualHost> </VirtualHost>
<IfModule mod_deflate.c> <IfModule mod_deflate.c>

9
releasenotes/notes/add-horizon-limitrequestbody-4f79433fa2cf1f6d.yaml Normal file
View File

@ -0,0 +1,9 @@
---
features:
- |
Since CVE-2022-29404 is fixed the default value for the LimitRequestBody
directive in the Apache HTTP Server has been changed from 0 (unlimited) to
1073741824 (1 GiB). This limits the size of images (for example) uploaded
in Horizon. Now this limit can be configured via
``horizon_httpd_limitrequestbody``.
`LP#2012588 <https://bugs.launchpad.net/kolla-ansible/+bug/2012588>`__