Commit cd2f264b authored by Eliot Berriot's avatar Eliot Berriot
Browse files

Merge branch '678-breach' into 'master'

Fix #678: Removed potential BREACH exploit because of Gzip compression

See merge request funkwhale/funkwhale!572
parents 7df97263 fa5676ed
...@@ -189,19 +189,11 @@ in the server block, then reload your nginx server:: ...@@ -189,19 +189,11 @@ in the server block, then reload your nginx server::
gzip_vary on; gzip_vary on;
gzip_types gzip_types
application/atom+xml
application/javascript application/javascript
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/vnd.geo+json application/vnd.geo+json
application/vnd.ms-fontobject application/vnd.ms-fontobject
application/x-font-ttf application/x-font-ttf
application/x-web-app-manifest+json application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype font/opentype
image/bmp image/bmp
image/svg+xml image/svg+xml
......
Removed potential BREACH exploit because of Gzip compression (#678)
...@@ -6,6 +6,49 @@ Next release notes ...@@ -6,6 +6,49 @@ Next release notes
Those release notes refer to the current development branch and are reset Those release notes refer to the current development branch and are reset
after each release. after each release.
Fix Gzip compression to avoid BREACH exploit [security] [manual action required]
--------------------------------------------------------------------------------
In the 0.18 release, we've enabled Gzip compression by default for various
content types, including HTML and JSON. Unfortunately, enabling Gzip compression
on such content types could make BREACH-type exploits possible.
We've removed the risky content-types from our nginx template files, to ensure new
instances are safe, however, if you already have an instance, you need
to double check that your host nginx virtualhost do not include the following
values for the ``gzip_types`` settings::
application/atom+xml
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/xhtml+xml
application/xml
For convenience, you can also replace the whole setting with the following snippet::
gzip_types
application/javascript
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
Fix Apache configuration file for 0.18 [manual action required] Fix Apache configuration file for 0.18 [manual action required]
---------------------------------------------------------- ----------------------------------------------------------
...@@ -39,4 +82,3 @@ In case you are using custom css and theming, you also need to match this block: ...@@ -39,4 +82,3 @@ In case you are using custom css and theming, you also need to match this block:
ProxyPass "/custom" "!" ProxyPass "/custom" "!"
Alias /custom /srv/funkwhale/custom Alias /custom /srv/funkwhale/custom
...@@ -37,19 +37,11 @@ server { ...@@ -37,19 +37,11 @@ server {
gzip_vary on; gzip_vary on;
gzip_types gzip_types
application/atom+xml
application/javascript application/javascript
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/vnd.geo+json application/vnd.geo+json
application/vnd.ms-fontobject application/vnd.ms-fontobject
application/x-font-ttf application/x-font-ttf
application/x-web-app-manifest+json application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype font/opentype
image/bmp image/bmp
image/svg+xml image/svg+xml
......
...@@ -51,19 +51,11 @@ server { ...@@ -51,19 +51,11 @@ server {
gzip_vary on; gzip_vary on;
gzip_types gzip_types
application/atom+xml
application/javascript application/javascript
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/vnd.geo+json application/vnd.geo+json
application/vnd.ms-fontobject application/vnd.ms-fontobject
application/x-font-ttf application/x-font-ttf
application/x-web-app-manifest+json application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype font/opentype
image/bmp image/bmp
image/svg+xml image/svg+xml
......
...@@ -51,19 +51,11 @@ http { ...@@ -51,19 +51,11 @@ http {
gzip_vary on; gzip_vary on;
gzip_types gzip_types
application/atom+xml
application/javascript application/javascript
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/vnd.geo+json application/vnd.geo+json
application/vnd.ms-fontobject application/vnd.ms-fontobject
application/x-font-ttf application/x-font-ttf
application/x-web-app-manifest+json application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype font/opentype
image/bmp image/bmp
image/svg+xml image/svg+xml
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment