From fa5676ed6e43bb202fffca14cd94446257bd6b9a Mon Sep 17 00:00:00 2001
From: Eliot Berriot <contact@eliotberriot.com>
Date: Tue, 29 Jan 2019 10:21:57 +0100
Subject: [PATCH] Fix #678: Removed potential BREACH exploit because of Gzip
 compression

---
 CHANGELOG                      |  8 -------
 changes/changelog.d/678.bugfix |  1 +
 changes/notes.rst              | 44 +++++++++++++++++++++++++++++++++-
 deploy/docker.proxy.template   |  8 -------
 deploy/nginx.template          |  8 -------
 docker/nginx/conf.dev          |  8 -------
 6 files changed, 44 insertions(+), 33 deletions(-)
 create mode 100644 changes/changelog.d/678.bugfix

diff --git a/CHANGELOG b/CHANGELOG
index 0b850566..e5444df9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -189,19 +189,11 @@ in the server block, then reload your nginx server::
         gzip_vary          on;
 
         gzip_types
-            application/atom+xml
             application/javascript
-            application/json
-            application/ld+json
-            application/activity+json
-            application/manifest+json
-            application/rss+xml
             application/vnd.geo+json
             application/vnd.ms-fontobject
             application/x-font-ttf
             application/x-web-app-manifest+json
-            application/xhtml+xml
-            application/xml
             font/opentype
             image/bmp
             image/svg+xml
diff --git a/changes/changelog.d/678.bugfix b/changes/changelog.d/678.bugfix
new file mode 100644
index 00000000..ba508bb8
--- /dev/null
+++ b/changes/changelog.d/678.bugfix
@@ -0,0 +1 @@
+Removed potential BREACH exploit because of Gzip compression (#678)
diff --git a/changes/notes.rst b/changes/notes.rst
index 8e54adf8..1276dd01 100644
--- a/changes/notes.rst
+++ b/changes/notes.rst
@@ -6,6 +6,49 @@ Next release notes
     Those release notes refer to the current development branch and are reset
     after each release.
 
+Fix Gzip compression to avoid BREACH exploit [security] [manual action required]
+--------------------------------------------------------------------------------
+
+In the 0.18 release, we've enabled Gzip compression by default for various
+content types, including HTML and JSON. Unfortunately, enabling Gzip compression
+on such content types could make BREACH-type exploits possible.
+
+We've removed the risky content-types from our nginx template files, to ensure new
+instances are safe, however, if you already have an instance, you need
+to double check that your host nginx virtualhost do not include the following
+values for the ``gzip_types`` settings::
+
+   application/atom+xml
+   application/json
+   application/ld+json
+   application/activity+json
+   application/manifest+json
+   application/rss+xml
+   application/xhtml+xml
+   application/xml
+
+For convenience, you can also replace the whole setting with the following snippet::
+
+   gzip_types
+      application/javascript
+      application/vnd.geo+json
+      application/vnd.ms-fontobject
+      application/x-font-ttf
+      application/x-web-app-manifest+json
+      font/opentype
+      image/bmp
+      image/svg+xml
+      image/x-icon
+      text/cache-manifest
+      text/css
+      text/plain
+      text/vcard
+      text/vnd.rim.location.xloc
+      text/vtt
+      text/x-component
+      text/x-cross-domain-policy;
+
+
 Fix Apache configuration file for 0.18 [manual action required]
 ----------------------------------------------------------
 
@@ -39,4 +82,3 @@ In case you are using custom css and theming, you also need to match this block:
 
    ProxyPass "/custom" "!"
    Alias /custom /srv/funkwhale/custom
-
diff --git a/deploy/docker.proxy.template b/deploy/docker.proxy.template
index c4f89057..0fbed2f7 100644
--- a/deploy/docker.proxy.template
+++ b/deploy/docker.proxy.template
@@ -37,19 +37,11 @@ server {
     gzip_vary          on;
 
     gzip_types
-        application/atom+xml
         application/javascript
-        application/json
-        application/ld+json
-        application/activity+json
-        application/manifest+json
-        application/rss+xml
         application/vnd.geo+json
         application/vnd.ms-fontobject
         application/x-font-ttf
         application/x-web-app-manifest+json
-        application/xhtml+xml
-        application/xml
         font/opentype
         image/bmp
         image/svg+xml
diff --git a/deploy/nginx.template b/deploy/nginx.template
index 125397ea..7cdee70f 100644
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -51,19 +51,11 @@ server {
     gzip_vary          on;
 
     gzip_types
-        application/atom+xml
         application/javascript
-        application/json
-        application/ld+json
-        application/activity+json
-        application/manifest+json
-        application/rss+xml
         application/vnd.geo+json
         application/vnd.ms-fontobject
         application/x-font-ttf
         application/x-web-app-manifest+json
-        application/xhtml+xml
-        application/xml
         font/opentype
         image/bmp
         image/svg+xml
diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev
index ecb1c1d0..50c3cbc2 100644
--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -51,19 +51,11 @@ http {
         gzip_vary          on;
 
         gzip_types
-            application/atom+xml
             application/javascript
-            application/json
-            application/ld+json
-            application/activity+json
-            application/manifest+json
-            application/rss+xml
             application/vnd.geo+json
             application/vnd.ms-fontobject
             application/x-font-ttf
             application/x-web-app-manifest+json
-            application/xhtml+xml
-            application/xml
             font/opentype
             image/bmp
             image/svg+xml
-- 
GitLab