Funnelback patch 15.12.0.33

  • Released: 2019-09-13

  • Applies to: v15.12.0

  • Internal reference: RNDSUPPORT-3041

Description

  • Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates by inserting zero-width whitespace between consecutive open-curly-brackets.

  • Please note, this patch was retracted due to incomplete solution causing template errors when used with certain Freemarker escaping modes. The 15.12.0.34 patch, which addresses this issue, should be used instead.

Affected files

  • web/webapps/funnelback-publicui.war: Reverted to a previous version.

Deployment

  • (Windows) Stop currently running crawls.

  • Stop the Jetty web server and the Funnelback daemon.

  • Deploy the provided files on top of an existing install, backing up all replaced files.

  • Start the Jetty web server and the Funnelback daemon.

  • 15.12.0.21 The conf/<collection>/custom_gather.groovy of each Facebook collection that are failing to update due to Facebook API changes should be updated to have the content provided in share/custom_collection_templates/custom_gather.groovy.facebook. The customer will need to provide a never-expiring page access token to replace the app access token. Instructions on getting a never-expiring page access token can be found in the Funnelback Community Knowledgebase.