Salt 3005.1 still has a failure for a single urlencoded argument not being allowed (i.e. #62624)

[zbukhari-apex]

Description
Using salt-api, when a single argument is sent for say a cmd.run, it fails. I have to add additional arguments as described in #62624

3005 should still be supported but looking at #62624 the fix for the problem which is in 3005 / 3005.1 was done in 3006 and not in 3005 afaict.

Setup

...
external_auth:
  pam:
    saltm1user:
      - .*
      - '@runner'
      - '@wheel'

rest_cherrypy:
  host: 0.0.0.0
  port: 8000
  ssl_key: /etc/salt/saltm1.key
  ssl_crt: /etc/salt/saltm1.crt
...

Please be as specific as possible and give set-up details.

• on-prem machine
• VM - vmware on Ubuntu Bionic/Focal
• VM running on a cloud service, please be explicit and add details
• container (Kubernetes, Docker, containerd, etc. please specify)
• or a combination, please be explicit
• jails if it is FreeBSD
• classic packaging
• onedir packaging
• used bootstrap to install

Steps to Reproduce the behavior

$         curl -sSk "https://${salt_master}:8000" \
                -b "$cookie_file" \
                -H 'Accept: application/json' \
                -d client=local \
                -d tgt='host*' \
                -d fun='cmd.run' \
                -d arg='whoami'
...

<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
    <title>500 Internal Server Error</title>
    <style type="text/css">
    #powered_by {
        margin-top: 20px;
        border-top: 2px solid black;
        font-style: italic;
    }   

    #traceback {
        color: red;
    }
    </style>
</head>
    <body>
        <h2>500 Internal Server Error</h2>
        <p>The server encountered an unexpected condition which prevented it from fulfilling the request.</p>
        <pre id="traceback"></pre>
    <div id="powered_by">
      <span>
        Powered by <a href="http://www.cherrypy.org">CherryPy 18.6.1</a>
      </span>
    </div>
    </body>
</html>

Expected behavior

{"return": [{"host1.dom.tld": "root", "host2.dom.tld": "root"}]}

For it to work in 3005.1 I have to pass in another argument as mentioned in 62624.

$         curl -sSk "https://${salt_master}:8000" \
                -b "$cookie_file" \
                -H 'Accept: application/json' \
                -d client=local \
                -d tgt='host*' \
                -d fun='cmd.run' \
                -d arg='whoami' \
                -d arg='c=d'

A clear and concise description of what you expected to happen.

Screenshots
N/A

Versions Report

salt --versions-report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Salt Version:
          Salt: 3005.1
 
Dependency Versions:
          cffi: 1.14.6
      cherrypy: unknown
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.0
       libgit2: Not Installed
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.9.8
        pygit2: Not Installed
        Python: 3.9.16 (main, Jan  6 2023, 22:49:49)
  python-gnupg: 0.4.8
        PyYAML: 5.4.1
         PyZMQ: 23.2.0
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: ubuntu 18.04 bionic
        locale: utf-8
       machine: x86_64
       release: 5.4.0-139-generic
        system: Linux
       version: Ubuntu 18.04 bionic

Additional context
Add any other context about the problem here.

[OrangeDog]

"Supported" does not mean that bug fixes are back-ported and released, unfortunately.

3005.2 might get released if a new CVE is identified, but it's unlikely to have this fix in it either.

[zbukhari-apex]

That is rather unfortunate. The support cycle is longer but I kind of freak out when the documentation only has the current and last versions so I try and keep with the times ... when there's a good reason :-) Onedir is a very good reason ;-)

I thought the support page says its in phase 2 so I thought it would or should get that. We are also VMware customers if that would help to push the envelope.

As of now it seems 3005, which is one version behind the latest, isn't going to get the fix unless powers-that-be step in.
3006.1 will but that won't happen til July, I believe looking at the release schedule. So should we go back to 3004.2 or will 3006.1 have an earlier release than scheduled?

tldr - tried to go to 3006, jinja includes was our issue. Used 3005 onedir, and much better but have ran into a couple issues. One being highstate from the salt master never seems to return but can't figure out why (when I know more I'll put it up or see if there's a known bug) and this.

I can use OS packages on some distributions but I really like the goals of onedir, having ran into issues with path includes and pip installs, felt it's great. I haven't ran into it that much but it seems people are using python more and more here :-D

Either way, thank you!

[whytewolf]

3006.1 is set to be release very soon. we moved up the schedule because of the jinja issues being so critical.

[OrangeDog]

highstate from the salt master never seems to return

#62881

[zbukhari-apex]

Awesome news! Thanks for the bug reference.

Not all heroes wear capes! Unless Saltstack employees are donning capes ;-) :-D

Happy Friday!

[whytewolf]

@zbukhari-apex just a heads up, we just released 3006.1

[zbukhari-apex]

I saw. Planning on testing it out either this week or next week. Thank you!