Funnelback patch 15.20.0.15

  • Released: 2019-09-04

  • Applies to: v15.20.0

  • Internal reference: RNDSUPPORT-3041

Description

  • Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates by inserting zero-width whitespace between consecutive open-curly-brackets.

Affected files

  • web/webapps/funnelback-publicui.war

Deployment

  • (Windows) Stop any tuning runs that are in progress

  • Stop the Jetty web server

  • Deploy the provided files on top of an existing install.

  • (15.20.0.2) Run $SEARCH_HOME/bin/setup/start_funnelback_on_boot.pl - Please note that this will cause Funnelback services to be restarted.

  • (15.20.0.2) On unix only, run chown -R search:search $SEARCH_HOME/databases/neo4j/ $SEARCH_HOME/log/neo4j as root to fix file ownership replacing search with your funnelback user’s username if you used a different one.

  • (15.20.0.2) Restart the Funnelback server to ensure any prior funnelback-graph service is terminated.

  • Start the Jetty web server

  • (15.20.0.3) Perform an update of knowledge graph on any applicable collections to ensure "mention" relationships that reference themselves are removed.

  • (15.20.0.7) As wcag was deprecated in version 15.12 it is recommended to switch to using its replacement by editing collection.cfg to have 'wcag.check=false', remove FAChecker from 'filter.classes=' and set 'accessibility-auditor.check=true'. The wcag check may be completely removed from future versions.