Funnelback patch 15.10.0.39

  • Released: 2019-09-24

  • Applies to: v15.10.0

  • Internal reference: RNDSUPPORT-3041

Description

  • Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates escaped using output formats by inserting zero-width whitespace between consecutive open-curly-brackets.

Affected files

  • web/webapps/funnelback-publicui.war

Deployment

  • (Windows) Stop currently running crawls.

  • Stop the Jetty web server and the Funnelback daemon.

  • If bin/delete-collection.pl is called directly on the command line, take note of the perl referenced in the #! line.

  • Deploy the provided files on top of an existing install, backing up all replaced files.

  • If bin/delete-collection.pl is called directly on the command line, update the perl referenced in the #! line.

  • To support extended tweets, add "cb.setTweetModeExtended(true);" after the "ConfigurationBuilder cb = new ConfigurationBuilder();" line in the twitter custom_gather.groovy script.

  • Start the Jetty web server and the Funnelback daemon.

  • (15.10.0.32) The conf/<collection>/custom_gather.groovy of each Facebook collection that are failing to update due to Facebook API changes should be updated to have the content provided in share/custom_collection_templates/custom_gather.groovy.facebook. The customer will need to provide a never-expiring page access token to replace the app access token.

  • (15.10.0.8) If the installation has Facebook collections, the Version given to the DefaultFacebookClient should be changed to Version.Latest e.g. new DefaultFacebookClient(Version.LATEST).

  • (Windows) Start crawls as needed.

  • Collections suffering from the issue with instant updates and external metadata will need to be updated before instant updates will work.