Funnelback patch 15.14.0.20
-
Released: 2018-11-05
-
Applies to: v15.14.0
-
Internal reference: FUN-12114, FUN-12116
Description
Fixes security issues where:
-
The default form-not-found template reflected the given form id without proper escaping.
-
The default configuration of URL previewing could be used to expose local log file content.
Please ensure any custom form-not-found.ftl templates in collections are updated to perform correct escaping if they were derived from the previously vulnerable form-not-found.default.ftl.
Please ensure that any customized value for the global default_url_renderer.permitted_url_pattern
setting in global.cfg prevents access to file:// URLs.
Deployment
-
(Windows) Stop currently running crawls.
-
Stop the Jetty web server and the Funnelback daemon.
-
Deploy the provided files on top of an existing install, backing up all replaced files.
-
Start the Jetty web server and the Funnelback daemon.
-
(15.14.0.14) The
conf/<collection>/custom_gather.groovy
of each Facebook collection that are failing to update due to Facebook API changes should be updated to have the content provided inshare/custom_collection_templates/custom_gather.groovy.facebook
. The customer will need to provide a never-expiring page access token to replace the app access token. -
(Windows) Start crawls as needed