<div dir="ltr">Daniel, this good, we did this on master and 2.4.x as well see <a href="https://github.com/GeoNode/geonode/commit/5023b5df25da4acd7854e70f59e3cecb32d3f2f2">https://github.com/GeoNode/geonode/commit/5023b5df25da4acd7854e70f59e3cecb32d3f2f2</a><div><br></div><div>Ciao</div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-02-13 12:04 GMT+01:00 Daniel Victoria <span dir="ltr"><<a href="mailto:daniel.victoria@gmail.com" target="_blank">daniel.victoria@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>The geonode.conf file in my Geonode instalation (2.4) did not have those lines. However, the upload/layers directory was still open to all. Looking at the geonode.conf file I noticed that the uploaded/documents directory was closed with the options:<br><br><span style="font-family:monospace,monospace"><Directory "/var/www/geonode/uploaded/<wbr>documents/"><br> Order allow,deny<br> Deny from all<br></Directory></span><br><br></div>So I repeated the same lines for the layers directory:<br><div><br><span style="font-family:monospace,monospace"><Directory "/var/www/geonode/uploaded/<wbr>layers/"><br> Order allow,deny<br> Deny from all<br></Directory></span><br><br></div><div>Does that look ok? Or am I bound to break something? Until now, everything looks fine<br><br></div><div>Thanks<br></div><div>Daniel<br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 13, 2017 at 4:15 AM, Simone Dalmasso <span dir="ltr"><<a href="mailto:simone.dalmasso@gmail.com" target="_blank">simone.dalmasso@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Jonathan,<div><br></div><div>the change is not yet published in the packages but the 2.6 will definitely contain it.</div><div><br></div><div>Best</div></div><div class="gmail_extra"><div><div class="m_4759068097811399057h5"><br><div class="gmail_quote">2017-02-13 0:28 GMT+01:00 Jonathan Doig <span dir="ltr"><<a href="mailto:j.doig@unsw.edu.au" target="_blank">j.doig@unsw.edu.au</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-AU">
<div class="m_4759068097811399057m_1874596603036802601m_-8585960510053148795WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I’ve tested upload at my end after the change: no impact. Also it was advised (and merged to the doco) by Geonode dev Simone Dalmasso.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Regards<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Jonathan<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" lang="EN-US">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" lang="EN-US"> Daniel Victoria [mailto:<a href="mailto:daniel.victoria@gmail.com" target="_blank">daniel.victoria@gmail.<wbr>com</a>]
<br>
<b>Sent:</b> Friday, 10 February 2017 11:22 PM<br>
<b>To:</b> Jonathan Doig<br>
<b>Cc:</b> <a href="mailto:geonode-users@lists.osgeo.org" target="_blank">geonode-users@lists.osgeo.org</a><br>
<b>Subject:</b> Re: [GeoNode-users] Geonode security vulnerability<u></u><u></u></span></p><div><div class="m_4759068097811399057m_1874596603036802601h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Jonathan,<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Thanks for the heads up. Just to be sure, by changing the geonode.conf I wont break any other GeoNode funcionality?<u></u><u></u></p>
</div>
<p class="MsoNormal">Cheers<u></u><u></u></p>
</div>
<p class="MsoNormal">Daniel<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Thu, Feb 9, 2017 at 10:10 PM, Jonathan Doig <<a href="mailto:j.doig@unsw.edu.au" target="_blank">j.doig@unsw.edu.au</a>> wrote:<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">Dear all<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I found this issue on my own site and am passing it on as it also affects a number of sites I’ve found online.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">The data on your Geonode site may be publicly downloadable, regardless of permissions, at:<u></u><u></u></p>
<p class="MsoNormal"><a href="http://%3cyour_geonode_host%3e/uploaded/layers/" target="_blank">http://<your_geonode_host>/upl<wbr>oaded/layers/</a><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">You need to edit /etc/apache2/sites-available/g<wbr>eonode.conf and remove the block which tells Apache to serve uploaded/layers/. It will look something like this:<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> <Directory "/home/geonode/geonode/geonode<wbr>/uploaded/layers/"></span><u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> Order allow,deny</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> Options Indexes FollowSymLinks</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> Allow from all</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> Require all granted</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> IndexOptions FancyIndexing</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> </Directory></span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Then restart Apache:<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:9.0pt;font-family:Consolas;color:#404040"> sudo service apache2 restart</span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I’ve issued a
<a href="https://github.com/GeoNode/geonode/pull/2899" target="_blank">pull request</a> to update the
<a href="http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html#apache-configuration" target="_blank">
install doco</a>. As a courtesy, I’ve also contacted the admins of sites I found through a “Powered by Geonode” Google search.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Regards<u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#e36c0a" lang="EN-US">Jonathan Doig</span></b><u></u><u></u></p>
<p class="MsoNormal"><i><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">Software Engineer – Spatial Systems</span></i><u></u><u></u></p>
<p class="MsoNormal"><i><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">City Futures Research Centre</span></i><u></u><u></u></p>
<p class="MsoNormal"><i><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">UNSW Built Environment
</span></i><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">Level 3, Red Centre West Wing
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">UNSW Sydney</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">NSW 2052 AUSTRALIA</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7f7f7f">T:<a href="tel:+61%202%209385%205319" target="_blank">+ 61 (2) 9385 5319</a> M: 0409 049185</span><u></u><u></u></p>
<p class="MsoNormal"><a href="http://cityfutures.be.unsw.edu.au/" target="_blank"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#0563c1">cityfutures.net.au</span></a><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
______________________________<wbr>_________________<br>
geonode-users mailing list<br>
<a href="mailto:geonode-users@lists.osgeo.org" target="_blank">geonode-users@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/geonode-users" target="_blank">https://lists.osgeo.org/mailma<wbr>n/listinfo/geonode-users</a><u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div></div></div>
</div>
<br>______________________________<wbr>_________________<br>
geonode-users mailing list<br>
<a href="mailto:geonode-users@lists.osgeo.org" target="_blank">geonode-users@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/geonode-users" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailma<wbr>n/listinfo/geonode-users</a><br>
<br></blockquote></div><br><br clear="all"><span class="HOEnZb"><font color="#888888"><div><br></div></font></span></div></div><span class="HOEnZb"><font color="#888888"><span class="m_4759068097811399057HOEnZb"><font color="#888888">-- <br><div class="m_4759068097811399057m_1874596603036802601gmail_signature" data-smartmail="gmail_signature">Simone </div>
</font></span></font></span></div>
</blockquote></div><br></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Simone </div>
</div>