<div dir="ltr">Hi Jonathan,<div><br></div><div>the change is not yet published in the packages but the 2.6 will definitely contain it.</div><div><br></div><div>Best</div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-02-13 0:28 GMT+01:00 Jonathan Doig <span dir="ltr"><<a href="mailto:j.doig@unsw.edu.au" target="_blank">j.doig@unsw.edu.au</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-AU" link="blue" vlink="purple">
<div class="m_-8585960510053148795WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I’ve tested upload at my end after the change: no impact. Also it was advised (and merged to the doco) by Geonode dev Simone Dalmasso.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Regards<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Jonathan<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Daniel Victoria [mailto:<a href="mailto:daniel.victoria@gmail.com" target="_blank">daniel.victoria@gmail.<wbr>com</a>]
<br>
<b>Sent:</b> Friday, 10 February 2017 11:22 PM<br>
<b>To:</b> Jonathan Doig<br>
<b>Cc:</b> <a href="mailto:geonode-users@lists.osgeo.org" target="_blank">geonode-users@lists.osgeo.org</a><br>
<b>Subject:</b> Re: [GeoNode-users] Geonode security vulnerability<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Jonathan,<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Thanks for the heads up. Just to be sure, by changing the geonode.conf I wont break any other GeoNode funcionality?<u></u><u></u></p>
</div>
<p class="MsoNormal">Cheers<u></u><u></u></p>
</div>
<p class="MsoNormal">Daniel<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Thu, Feb 9, 2017 at 10:10 PM, Jonathan Doig <<a href="mailto:j.doig@unsw.edu.au" target="_blank">j.doig@unsw.edu.au</a>> wrote:<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">Dear all<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I found this issue on my own site and am passing it on as it also affects a number of sites I’ve found online.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">The data on your Geonode site may be publicly downloadable, regardless of permissions, at:<u></u><u></u></p>
<p class="MsoNormal"><a href="http://%3cyour_geonode_host%3e/uploaded/layers/" target="_blank">http://<your_geonode_host>/<wbr>uploaded/layers/</a><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">You need to edit /etc/apache2/sites-available/<wbr>geonode.conf and remove the block which tells Apache to serve uploaded/layers/. It will look something like this:<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> <Directory "/home/geonode/geonode/<wbr>geonode/uploaded/layers/"></span><u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> Order allow,deny</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> Options Indexes FollowSymLinks</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> Allow from all</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> Require all granted</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> IndexOptions FancyIndexing</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> </Directory></span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Then restart Apache:<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> sudo service apache2 restart</span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I’ve issued a
<a href="https://github.com/GeoNode/geonode/pull/2899" target="_blank">pull request</a> to update the
<a href="http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html#apache-configuration" target="_blank">
install doco</a>. As a courtesy, I’ve also contacted the admins of sites I found through a “Powered by Geonode” Google search.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Regards<u></u><u></u></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#e36c0a">Jonathan Doig</span></b><u></u><u></u></p>
<p class="MsoNormal"><i><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">Software Engineer – Spatial Systems</span></i><u></u><u></u></p>
<p class="MsoNormal"><i><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">City Futures Research Centre</span></i><u></u><u></u></p>
<p class="MsoNormal"><i><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">UNSW Built Environment
</span></i><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">Level 3, Red Centre West Wing
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">UNSW Sydney</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">NSW 2052 AUSTRALIA</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">T:<a href="tel:+61%202%209385%205319" target="_blank">+ 61 (2) 9385 5319</a> M: 0409 049185</span><u></u><u></u></p>
<p class="MsoNormal"><a href="http://cityfutures.be.unsw.edu.au/" target="_blank"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#0563c1">cityfutures.net.au</span></a><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
______________________________<wbr>_________________<br>
geonode-users mailing list<br>
<a href="mailto:geonode-users@lists.osgeo.org" target="_blank">geonode-users@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/geonode-users" target="_blank">https://lists.osgeo.org/<wbr>mailman/listinfo/geonode-users</a><u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div></div></div>
</div>
<br>______________________________<wbr>_________________<br>
geonode-users mailing list<br>
<a href="mailto:geonode-users@lists.osgeo.org">geonode-users@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/geonode-users" rel="noreferrer" target="_blank">https://lists.osgeo.org/<wbr>mailman/listinfo/geonode-users</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Simone </div>
</div>