opendev
/
puppet-etherpad_lite
Code Issues Proposed changes

Refuse external connections to the API 

The Etherpad API is only useful for authenticated access via the
secret API key, which resides on the server's filesystem. It can
already be accessed from localhost over the nodejs listener socket,
so doesn't need to be reachable through the external Apache proxy.
Refuse connections to it through Apache in an effort to reduce
exposure to future unauthenticated or authentication bypass bugs in
the API implementation.

Change-Id: Ia5cf2f15c21eb397eeb878c81cd3c7a29f5aecbd
This commit is contained in:
Jeremy Stanley 2018-04-11 16:45:15 +00:00
parent e44d991eae
commit 5b9395aea1
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
templates/etherpadlite.vhost.erb
View File

@ -78,6 +78,9 @@
# etherpad-lite installation.
RewriteRule ^/robots.txt$ <%= scope.lookupvar("etherpad_lite::apache::docroot") %>/robots.txt [L]
# Refuse external connections to the API through the proxy
RewriteRule ^/api/ - [F,L]
RewriteCond %{REQUEST_URI} !^/p/
RewriteCond %{REQUEST_URI} !^/locales/
RewriteCond %{REQUEST_URI} !^/locales.json