Fixes WordPress XSS Vulnerability found in themes and plugins of example.html

10 years ago · 63b3147305
2 changed files with 10 additions and 2 deletions
--- a/ee/cli/templates/locations.mustache
+++ b/ee/cli/templates/locations.mustache
@ -33,8 +33,8 @@ location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$
  access_log off;
  log_not_found off;
 }
-# Return 403 forbidden for readme.(txt|html) or license.(txt|html)
-if ($request_uri ~* "^.+(readme|license)\.(txt|html)$") {
+# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
+if ($request_uri ~* "^.+(readme|license|example)\.(txt|html)$") {
  return 403;
 }
 # Status pages
--- a/8
+++ b/8
@ -305,6 +305,14 @@ function ee_update_latest()
    if [ $? -eq 0 ]; then
        update-rc.d hhvm defaults &>> /dev/null
    fi
+
+    # Fix WordPress example.html issue
+    # Ref: http://wptavern.com/xss-vulnerability-in-jetpack-and-the-twenty-fifteen-default-theme-affects-millions-of-wordpress-users
+    dpkg --get-selections | grep -v deinstall | grep nginx &>> /dev/null
+    if [ $? -eq 0 ]; then
+        cp /usr/lib/ee/templates/locations.mustache /etc/nginx/common/locations.conf &>> /dev/null
+    fi
+
 }

 # Do git intialisation