Skip to content
Snippets Groups Projects
Select Git revision
  • LDAPGroupTypeSupport
  • develop default protected
  • master
  • 876-http-signature
  • plugins-v2
  • plugins
  • 0.21
  • 0.21-rc2
  • 0.21-rc1
  • 0.20.1
  • 0.20.0
  • 0.20.0-rc1
  • 0.19.1
  • 0.19.0
  • 0.19.0-rc2
  • 0.19.0-rc1
  • 0.18.3
  • 0.18.2
  • 0.18.1
  • 0.18
  • 0.17
  • 0.16.3
  • 0.16.2
  • 0.16.1
  • 0.16
  • 0.15
26 results
Blame History Permalink
Forked from funkwhale / funkwhale
5934 commits behind the upstream repository.
notes.rst 2.60 KiB

Next release notes

Note

Those release notes refer to the current development branch and are reset after each release.

Fix Gzip compression to avoid BREACH exploit [security] [manual action required]

In the 0.18 release, we've enabled Gzip compression by default for various content types, including HTML and JSON. Unfortunately, enabling Gzip compression on such content types could make BREACH-type exploits possible.

We've removed the risky content-types from our nginx template files, to ensure new instances are safe, however, if you already have an instance, you need to double check that your host nginx virtualhost do not include the following values for the gzip_types settings:

application/atom+xml
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/xhtml+xml
application/xml

For convenience, you can also replace the whole setting with the following snippet:

gzip_types
   application/javascript
   application/vnd.geo+json
   application/vnd.ms-fontobject
   application/x-font-ttf
   application/x-web-app-manifest+json
   font/opentype
   image/bmp
   image/svg+xml
   image/x-icon
   text/cache-manifest
   text/css
   text/plain
   text/vcard
   text/vnd.rim.location.xloc
   text/vtt
   text/x-component
   text/x-cross-domain-policy;

Fix Apache configuration file for 0.18 [manual action required]

The way front is served has changed since 0.18. The Apache configuration can't serve 0.18 properly, leading to blank screens.

If you are on an Apache setup, you will have to replace the <Location "/api"> block with the following:

<Location "/">
   # similar to nginx 'client_max_body_size 100M;'
   LimitRequestBody 104857600

   ProxyPass ${funkwhale-api}/
   ProxyPassReverse ${funkwhale-api}/
</Location>

And add some more ProxyPass directives so that the Alias part of your configuration file looks this way:

ProxyPass "/front" "!"
Alias /front /srv/funkwhale/front/dist

ProxyPass "/media" "!"
Alias /media /srv/funkwhale/data/media

ProxyPass "/staticfiles" "!"
Alias /staticfiles /srv/funkwhale/data/static

In case you are using custom css and theming, you also need to match this block:

ProxyPass "/settings.json" "!"
Alias /settings.json /srv/funkwhale/custom/settings.json

ProxyPass "/custom" "!"
Alias /custom /srv/funkwhale/custom