Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
jovuit
funkwhale_OLD
Commits
fa5676ed
Verified
Commit
fa5676ed
authored
Jan 29, 2019
by
Eliot Berriot
Browse files
Fix
#678
: Removed potential BREACH exploit because of Gzip compression
parent
7df97263
Changes
6
Hide whitespace changes
Inline
Side-by-side
CHANGELOG
View file @
fa5676ed
...
...
@@ -189,19 +189,11 @@ in the server block, then reload your nginx server::
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
...
...
changes/changelog.d/678.bugfix
0 → 100644
View file @
fa5676ed
Removed potential BREACH exploit because of Gzip compression (#678)
changes/notes.rst
View file @
fa5676ed
...
...
@@ -6,6 +6,49 @@ Next release notes
Those release notes refer to the current development branch and are reset
after each release.
Fix Gzip compression to avoid BREACH exploit [security] [manual action required]
--------------------------------------------------------------------------------
In the 0.18 release, we've enabled Gzip compression by default for various
content types, including HTML and JSON. Unfortunately, enabling Gzip compression
on such content types could make BREACH-type exploits possible.
We've removed the risky content-types from our nginx template files, to ensure new
instances are safe, however, if you already have an instance, you need
to double check that your host nginx virtualhost do not include the following
values for the ``gzip_types`` settings::
application/atom+xml
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/xhtml+xml
application/xml
For convenience, you can also replace the whole setting with the following snippet::
gzip_types
application/javascript
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
Fix Apache configuration file for 0.18 [manual action required]
----------------------------------------------------------
...
...
@@ -39,4 +82,3 @@ In case you are using custom css and theming, you also need to match this block:
ProxyPass "/custom" "!"
Alias /custom /srv/funkwhale/custom
deploy/docker.proxy.template
View file @
fa5676ed
...
...
@@ -37,19 +37,11 @@ server {
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
...
...
deploy/nginx.template
View file @
fa5676ed
...
...
@@ -51,19 +51,11 @@ server {
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
...
...
docker/nginx/conf.dev
View file @
fa5676ed
...
...
@@ -51,19 +51,11 @@ http {
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/activity+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment