Fix #678: Removed potential BREACH exploit because of Gzip compression

fa5676ed · Eliot Berriot · 7df97263 · fa5676ed · fa5676ed · fa5676ed
Verified Commit fa5676ed authored 6 years ago by Eliot Berriot
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -189,19 +189,11 @@ in the server block, then reload your nginx server::
        gzip_vary          on;

        gzip_types
-            application/atom+xml
            application/javascript
-            application/json
-            application/ld+json
-            application/activity+json
-            application/manifest+json
-            application/rss+xml
            application/vnd.geo+json
            application/vnd.ms-fontobject
            application/x-font-ttf
            application/x-web-app-manifest+json
-            application/xhtml+xml
-            application/xml
            font/opentype
            image/bmp
            image/svg+xml

--- a/changes/changelog.d/678.bugfix
+++ b/changes/changelog.d/678.bugfix
+Removed potential BREACH exploit because of Gzip compression (#678)
--- a/changes/notes.rst
+++ b/changes/notes.rst
@@ -6,6 +6,49 @@ Next release notes
    Those release notes refer to the current development branch and are reset
    after each release.

+Fix Gzip compression to avoid BREACH exploit [security] [manual action required]
+--------------------------------------------------------------------------------
+
+In the 0.18 release, we've enabled Gzip compression by default for various
+content types, including HTML and JSON. Unfortunately, enabling Gzip compression
+on such content types could make BREACH-type exploits possible.
+
+We've removed the risky content-types from our nginx template files, to ensure new
+instances are safe, however, if you already have an instance, you need
+to double check that your host nginx virtualhost do not include the following
+values for the ``gzip_types`` settings::
+
+   application/atom+xml
+   application/json
+   application/ld+json
+   application/activity+json
+   application/manifest+json
+   application/rss+xml
+   application/xhtml+xml
+   application/xml
+
+For convenience, you can also replace the whole setting with the following snippet::
+
+   gzip_types
+      application/javascript
+      application/vnd.geo+json
+      application/vnd.ms-fontobject
+      application/x-font-ttf
+      application/x-web-app-manifest+json
+      font/opentype
+      image/bmp
+      image/svg+xml
+      image/x-icon
+      text/cache-manifest
+      text/css
+      text/plain
+      text/vcard
+      text/vnd.rim.location.xloc
+      text/vtt
+      text/x-component
+      text/x-cross-domain-policy;
+
+
 Fix Apache configuration file for 0.18 [manual action required]
 ----------------------------------------------------------

@@ -39,4 +82,3 @@ In case you are using custom css and theming, you also need to match this block:

   ProxyPass "/custom" "!"
   Alias /custom /srv/funkwhale/custom
-
--- a/deploy/docker.proxy.template
+++ b/deploy/docker.proxy.template
@@ -37,19 +37,11 @@ server {
    gzip_vary          on;

    gzip_types
-        application/atom+xml
        application/javascript
-        application/json
-        application/ld+json
-        application/activity+json
-        application/manifest+json
-        application/rss+xml
        application/vnd.geo+json
        application/vnd.ms-fontobject
        application/x-font-ttf
        application/x-web-app-manifest+json
-        application/xhtml+xml
-        application/xml
        font/opentype
        image/bmp
        image/svg+xml

--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -51,19 +51,11 @@ server {
    gzip_vary          on;

    gzip_types
-        application/atom+xml
        application/javascript
-        application/json
-        application/ld+json
-        application/activity+json
-        application/manifest+json
-        application/rss+xml
        application/vnd.geo+json
        application/vnd.ms-fontobject
        application/x-font-ttf
        application/x-web-app-manifest+json
-        application/xhtml+xml
-        application/xml
        font/opentype
        image/bmp
        image/svg+xml

--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -51,19 +51,11 @@ http {
        gzip_vary          on;

        gzip_types
-            application/atom+xml
            application/javascript
-            application/json
-            application/ld+json
-            application/activity+json
-            application/manifest+json
-            application/rss+xml
            application/vnd.geo+json
            application/vnd.ms-fontobject
            application/x-font-ttf
            application/x-web-app-manifest+json
-            application/xhtml+xml
-            application/xml
            font/opentype
            image/bmp
            image/svg+xml