Work around CVE-2018-12532

https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html Change-Id: I2c6cd13e0aeb71e5bebc680568fdf9f6f0656b74
2019-11-08 02:20:14 +00:00 · 2019-11-08 02:20:14 +00:00 · 24a3c65e32
commit 24a3c65e32
parent 7047152960
2 changed files with 11 additions and 1 deletions
--- a/manifests/apache.pp
+++ b/manifests/apache.pp
@ -29,6 +29,12 @@ class zanata::apache (
  include ::httpd
  include ::httpd::ssl

+  if !defined(Httpd_mod['rewrite']) {
+    httpd_mod { 'rewrite':
+      ensure => present,
+    }
+  }
+
  httpd_mod { 'proxy':
    ensure => present,
  }
--- a/templates/zanata.vhost.erb
+++ b/templates/zanata.vhost.erb
@ -32,6 +32,10 @@
    SSLCertificateChainFile <%= scope.lookupvar("zanata::apache::ssl_chain_file") %>
  <% end -%>

+  # CVE-2018-12532 https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html
+  RewriteEngine on
+  RewriteRule .*(/DATA/|org\.richfaces\.resource\.MediaOutputResource).* - [F,L]
+
  ProxyPass / ajp://127.0.0.1:8009/ retry=0

 </VirtualHost>