File fix-CVE-2023-46118-1.patch of Package rabbitmq-server

Overview Repositories Revisions Requests Users Attributes Meta

File fix-CVE-2023-46118-1.patch of Package rabbitmq-server

From 6d8a4ead2cbddfba33e178b3cafa1d550819d589 Mon Sep 17 00:00:00 2001
From: Michael Klishin <klishinm@vmware.com>
Date: Mon, 16 Oct 2023 06:48:23 -0400
Subject: [PATCH] Reduce default HTTP API request body size limit to 10 MiB

per discussion with the team.

It should be enough to accomodate a definition file with about
100K queues.

(cherry picked from commit c6d0382be4d9b6f4d0ab9466b397e353adfa92e0)
---
 deps/rabbitmq_management/BUILD.bazel                          | 2 +-
 deps/rabbitmq_management/Makefile                             | 2 +-
 .../priv/schema/rabbitmq_management.schema                    | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

Index: rabbitmq-server-3.8.11/deps/rabbitmq_management/Makefile
===================================================================
--- rabbitmq-server-3.8.11.orig/deps/rabbitmq_management/Makefile
+++ rabbitmq-server-3.8.11/deps/rabbitmq_management/Makefile
@@ -13,7 +13,7 @@ define PROJECT_ENV
 	    {cors_allow_origins, []},
 	    {cors_max_age, 1800},
 	    {content_security_policy, "script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'"},
-	    {max_http_body_size, 20000000}
+	    {max_http_body_size, 10000000}
 	  ]
 endef
 
Index: rabbitmq-server-3.8.11/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
===================================================================
--- rabbitmq-server-3.8.11.orig/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
+++ rabbitmq-server-3.8.11/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
@@ -28,9 +28,9 @@
 {translation, "rabbitmq_management.max_http_body_size",
 fun(Conf) ->
     case cuttlefish:conf_get("management.http.max_body_size", Conf, undefined) of
-        %% 20 MiB allows for about 200K queues across a small (single digit) number of virtual hosts with
+        %% 10 MiB allows for about 100K queues with short names across a small (single digit) number of virtual hosts with
         %% an equally small number of users. MK.
-        undefined                -> 20000000;
+        undefined                -> 10000000;
         Val when is_integer(Val) -> Val;
         Other                    -> cuttlefish:invalid("management.http.max_body_size must be set to a positive integer")
     end

Places

File fix-CVE-2023-46118-1.patch of Package rabbitmq-server

Places