From 24a3c65e322d86d7d2bb82ea11bab36728c63475 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Fri, 8 Nov 2019 02:20:14 +0000
Subject: [PATCH] Work around CVE-2018-12532

https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html

Change-Id: I2c6cd13e0aeb71e5bebc680568fdf9f6f0656b74
---
 manifests/apache.pp        | 6 ++++++
 templates/zanata.vhost.erb | 6 +++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/manifests/apache.pp b/manifests/apache.pp
index d93ca0e..c766bd4 100644
--- a/manifests/apache.pp
+++ b/manifests/apache.pp
@@ -29,6 +29,12 @@ class zanata::apache (
   include ::httpd
   include ::httpd::ssl
 
+  if !defined(Httpd_mod['rewrite']) {
+    httpd_mod { 'rewrite':
+      ensure => present,
+    }
+  }
+
   httpd_mod { 'proxy':
     ensure => present,
   }
diff --git a/templates/zanata.vhost.erb b/templates/zanata.vhost.erb
index 08f45b3..9a23d1e 100644
--- a/templates/zanata.vhost.erb
+++ b/templates/zanata.vhost.erb
@@ -32,7 +32,11 @@
     SSLCertificateChainFile <%= scope.lookupvar("zanata::apache::ssl_chain_file") %>
   <% end -%>
 
+  # CVE-2018-12532 https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html
+  RewriteEngine on
+  RewriteRule .*(/DATA/|org\.richfaces\.resource\.MediaOutputResource).* - [F,L]
+
   ProxyPass / ajp://127.0.0.1:8009/ retry=0
 
 </VirtualHost>
-</IfModule>
\ No newline at end of file
+</IfModule>