Funnelback patch

  • Released: 2019-10-28

  • Applies to: v15.20.0

  • Internal reference: RNDSUPPORT-3079


  • Prevents XSS vulnerabilities found in the classic administration dashboard.

Affected files

  • lib/perl/Funnelback/

  • web/admin/delete-file.cgi

  • web/admin/download-conf.cgi

  • web/admin/edit-conf.cgi

  • web/admin/edit-form.cgi

  • web/admin/example-gui.cgi

  • web/admin/load-ctest.cgi

  • web/admin/publish.cgi

  • web/admin/restore-conf.cgi

  • web/admin/show-file.cgi

  • web/admin/show-monitor-log.cgi

  • web/admin/svn.cgi

  • web/admin/upload-conf.cgi


  • (Windows) Stop any tuning runs that are in progress

  • Stop the Jetty web server

  • Deploy the provided files on top of an existing install.

  • ( Run $SEARCH_HOME/bin/setup/ - Please note that this will cause Funnelback services to be restarted.

  • ( On unix only, run chown -R search:search $SEARCH_HOME/databases/neo4j/ $SEARCH_HOME/log/neo4j as root to fix file ownership replacing search with your funnelback user’s username if you used a different one.

  • ( Run $SEARCH_HOME/bin/setup/ to regenerate service files from the templates. Please note that this will cause each Funnelback service to be restarted.

  • ( Reboot the Funnelback server to ensure systemd picks up the changes to the service files

  • ( Restart the Funnelback server to ensure any prior funnelback-graph service is terminated.

  • Start the Jetty web server

  • ( Perform an update of knowledge graph on any applicable collections to ensure "mention" relationships that reference themselves are removed.

  • ( As wcag was deprecated in version 15.12 it is recommended to switch to using its replacement by editing collection.cfg to have 'wcag.check=false', remove FAChecker from 'filter.classes=' and set 'accessibility-auditor.check=true'. The wcag check may be completely removed from future versions.

  • Start the Jetty web server if the server was not restarted.