MirrorMirror
/
funkwhale
mirror of https://dev.funkwhale.audio/funkwhale/funkwhale.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch '678-breach' into 'master' 

Fix #678: Removed potential BREACH exploit because of Gzip compression

See merge request funkwhale/funkwhale!572
This commit is contained in:
Eliot Berriot 2019-01-29 10:24:32 +01:00
parent 7df97263e5 fa5676ed6e
commit cd2f264b56
6 changed files with 44 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
CHANGELOG
View File

@ -189,19 +189,11 @@ in the server block, then reload your nginx server::
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml

1
changes/changelog.d/678.bugfix Normal file
View File

@ -0,0 +1 @@
Removed potential BREACH exploit because of Gzip compression (#678)

44
changes/notes.rst
View File

@ -6,6 +6,49 @@ Next release notes
Those release notes refer to the current development branch and are reset
after each release.
Fix Gzip compression to avoid BREACH exploit [security] [manual action required]
--------------------------------------------------------------------------------
In the 0.18 release, we've enabled Gzip compression by default for various
content types, including HTML and JSON. Unfortunately, enabling Gzip compression
on such content types could make BREACH-type exploits possible.
We've removed the risky content-types from our nginx template files, to ensure new
instances are safe, however, if you already have an instance, you need
to double check that your host nginx virtualhost do not include the following
values for the ``gzip_types`` settings::
application/atom+xml
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/xhtml+xml
application/xml
For convenience, you can also replace the whole setting with the following snippet::
gzip_types
application/javascript
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
Fix Apache configuration file for 0.18 [manual action required]
----------------------------------------------------------
@ -39,4 +82,3 @@ In case you are using custom css and theming, you also need to match this block:
ProxyPass "/custom" "!"
Alias /custom /srv/funkwhale/custom

8
deploy/docker.proxy.template
View File

@ -37,19 +37,11 @@ server {
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml

8
deploy/nginx.template
View File

@ -51,19 +51,11 @@ server {
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml

8
docker/nginx/conf.dev
View File

@ -51,19 +51,11 @@ http {
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml