From 63b3147305409f855407cde70d258c13e805e035 Mon Sep 17 00:00:00 2001
From: gau1991 <gaurav.astikar@rtcamp.com>
Date: Thu, 7 May 2015 15:19:03 +0530
Subject: [PATCH] Fixes WordPress XSS Vulnerability found in themes and plugins
 of example.html

---
 ee/cli/templates/locations.mustache | 4 ++--
 install                             | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/ee/cli/templates/locations.mustache b/ee/cli/templates/locations.mustache
index 9fd1ef25..21e18f82 100644
--- a/ee/cli/templates/locations.mustache
+++ b/ee/cli/templates/locations.mustache
@@ -33,8 +33,8 @@ location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$
   access_log off;
   log_not_found off;
 }
-# Return 403 forbidden for readme.(txt|html) or license.(txt|html)
-if ($request_uri ~* "^.+(readme|license)\.(txt|html)$") {
+# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
+if ($request_uri ~* "^.+(readme|license|example)\.(txt|html)$") {
   return 403;
 }
 # Status pages
diff --git a/install b/install
index 788dcacb..0d1247e4 100644
--- a/install
+++ b/install
@@ -305,6 +305,14 @@ function ee_update_latest()
     if [ $? -eq 0 ]; then
         update-rc.d hhvm defaults &>> /dev/null
     fi
+
+    # Fix WordPress example.html issue
+    # Ref: http://wptavern.com/xss-vulnerability-in-jetpack-and-the-twenty-fifteen-default-theme-affects-millions-of-wordpress-users
+    dpkg --get-selections | grep -v deinstall | grep nginx &>> /dev/null
+    if [ $? -eq 0 ]; then
+        cp /usr/lib/ee/templates/locations.mustache /etc/nginx/common/locations.conf &>> /dev/null
+    fi
+
 }
 
 # Do git intialisation