Funnelback patch

  • Released: 2019-09-13

  • Applies to: v15.10.0

  • Internal reference: RNDSUPPORT-3041


  • Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates by inserting zero-width whitespace between consecutive open-curly-brackets.

  • Please note, this patch was retracted due to incomplete solution causing template errors when used with certain Freemarker escaping modes. The patch, which addresses this issue, should be used instead.

Affected files

  • web/webapps/funnelback-publicui.war: Reverted to a previous version.


  • (Windows) Stop currently running crawls.

  • Stop the Jetty web server and the Funnelback daemon.

  • If bin/ is called directly on the command line, take note of the perl referenced in the #! line.

  • Deploy the provided files on top of an existing install, backing up all replaced files.

  • If bin/ is called directly on the command line, update the perl referenced in the #! line.

  • To support extended tweets, add "cb.setTweetModeExtended(true);" after the "ConfigurationBuilder cb = new ConfigurationBuilder();" line in the twitter custom_gather.groovy script.

  • Start the Jetty web server and the Funnelback daemon.

  • ( The conf/<collection>/custom_gather.groovy of each Facebook collection that are failing to update due to Facebook API changes should be updated to have the content provided in share/custom_collection_templates/custom_gather.groovy.facebook. The customer will need to provide a never-expiring page access token to replace the app access token.

  • ( If the installation has Facebook collections, the Version given to the DefaultFacebookClient should be changed to Version.Latest e.g. new DefaultFacebookClient(Version.LATEST).

  • (Windows) Start crawls as needed.

  • Collections suffering from the issue with instant updates and external metadata will need to be updated before instant updates will work.