Merge branch '678-breach' into 'master'

Fix #678: Removed potential BREACH exploit because of Gzip compression

See merge request funkwhale/funkwhale!572

CHANGELOG

@@ -189,19 +189,11 @@ in the server block, then reload your nginx server::
         gzip_vary          on;
 
         gzip_types
-            application/atom+xml
             application/javascript
-            application/json
-            application/ld+json
-            application/activity+json
-            application/manifest+json
-            application/rss+xml
             application/vnd.geo+json
             application/vnd.ms-fontobject
             application/x-font-ttf
             application/x-web-app-manifest+json
-            application/xhtml+xml
-            application/xml
             font/opentype
             image/bmp
             image/svg+xml

changes/changelog.d/678.bugfix

@@ -0,0 +1 @@
+Removed potential BREACH exploit because of Gzip compression (#678)

changes/notes.rst

@@ -6,6 +6,49 @@ Next release notes
     Those release notes refer to the current development branch and are reset
     after each release.
 
+Fix Gzip compression to avoid BREACH exploit [security] [manual action required]
+--------------------------------------------------------------------------------
+
+In the 0.18 release, we've enabled Gzip compression by default for various
+content types, including HTML and JSON. Unfortunately, enabling Gzip compression
+on such content types could make BREACH-type exploits possible.
+
+We've removed the risky content-types from our nginx template files, to ensure new
+instances are safe, however, if you already have an instance, you need
+to double check that your host nginx virtualhost do not include the following
+values for the ``gzip_types`` settings::
+
+   application/atom+xml
+   application/json
+   application/ld+json
+   application/activity+json
+   application/manifest+json
+   application/rss+xml
+   application/xhtml+xml
+   application/xml
+
+For convenience, you can also replace the whole setting with the following snippet::
+
+   gzip_types
+      application/javascript
+      application/vnd.geo+json
+      application/vnd.ms-fontobject
+      application/x-font-ttf
+      application/x-web-app-manifest+json
+      font/opentype
+      image/bmp
+      image/svg+xml
+      image/x-icon
+      text/cache-manifest
+      text/css
+      text/plain
+      text/vcard
+      text/vnd.rim.location.xloc
+      text/vtt
+      text/x-component
+      text/x-cross-domain-policy;
+
+
 Fix Apache configuration file for 0.18 [manual action required]
 ----------------------------------------------------------
 
@@ -39,4 +82,3 @@ In case you are using custom css and theming, you also need to match this block:
 
    ProxyPass "/custom" "!"
    Alias /custom /srv/funkwhale/custom
-

deploy/docker.proxy.template

@@ -37,19 +37,11 @@ server {
     gzip_vary          on;
 
     gzip_types
-        application/atom+xml
         application/javascript
-        application/json
-        application/ld+json
-        application/activity+json
-        application/manifest+json
-        application/rss+xml
         application/vnd.geo+json
         application/vnd.ms-fontobject
         application/x-font-ttf
         application/x-web-app-manifest+json
-        application/xhtml+xml
-        application/xml
         font/opentype
         image/bmp
         image/svg+xml

deploy/nginx.template

@@ -51,19 +51,11 @@ server {
     gzip_vary          on;
 
     gzip_types
-        application/atom+xml
         application/javascript
-        application/json
-        application/ld+json
-        application/activity+json
-        application/manifest+json
-        application/rss+xml
         application/vnd.geo+json
         application/vnd.ms-fontobject
         application/x-font-ttf
         application/x-web-app-manifest+json
-        application/xhtml+xml
-        application/xml
         font/opentype
         image/bmp
         image/svg+xml

docker/nginx/conf.dev

@@ -51,19 +51,11 @@ http {
         gzip_vary          on;
 
         gzip_types
-            application/atom+xml
             application/javascript
-            application/json
-            application/ld+json
-            application/activity+json
-            application/manifest+json
-            application/rss+xml
             application/vnd.geo+json
             application/vnd.ms-fontobject
             application/x-font-ttf
             application/x-web-app-manifest+json
-            application/xhtml+xml
-            application/xml
             font/opentype
             image/bmp
             image/svg+xml