Fixes WordPress XSS Vulnerability found in themes and plugins of example.html

gau1991 · gau1991 · commit 63b314730540 · 2015-05-07T15:19:03.000+05:30
diff --git a/ee/cli/templates/locations.mustache b/ee/cli/templates/locations.mustache
@@ -33,8 +33,8 @@ location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$
   access_log off;
   log_not_found off;
 }
-# Return 403 forbidden for readme.(txt|html) or license.(txt|html)
-if ($request_uri ~* "^.+(readme|license)\.(txt|html)$") {
+# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
+if ($request_uri ~* "^.+(readme|license|example)\.(txt|html)$") {
   return 403;
 }
 # Status pages
diff --git a/install b/install
@@ -305,6 +305,14 @@ function ee_update_latest()
     if [ $? -eq 0 ]; then
         update-rc.d hhvm defaults &>> /dev/null
     fi
+
+    # Fix WordPress example.html issue
+    # Ref: http://wptavern.com/xss-vulnerability-in-jetpack-and-the-twenty-fifteen-default-theme-affects-millions-of-wordpress-users
+    dpkg --get-selections | grep -v deinstall | grep nginx &>> /dev/null
+    if [ $? -eq 0 ]; then
+        cp /usr/lib/ee/templates/locations.mustache /etc/nginx/common/locations.conf &>> /dev/null
+    fi
+
 }
 
 # Do git intialisation

Original file line number	Diff line number	Diff line change
`@@ -33,8 +33,8 @@ location ~* ^.+\.(bak\|log\|old\|orig\|original\|php#\|php~\|php_bak\|save\|swo\|swp\|sql)$`
`33`	`33`	`access_log off;`
`34`	`34`	`log_not_found off;`
`35`	`35`	`}`
`36`		`-# Return 403 forbidden for readme.(txt\|html) or license.(txt\|html)`
`37`		`-if ($request_uri ~* "^.+(readme\|license)\.(txt\|html)$") {`
	`36`	`+# Return 403 forbidden for readme.(txt\|html) or license.(txt\|html) or example.(txt\|html)`
	`37`	`+if ($request_uri ~* "^.+(readme\|license\|example)\.(txt\|html)$") {`
`38`	`38`	`return 403;`
`39`	`39`	`}`
`40`	`40`	`# Status pages`