Headline
CVE-2022-35925: Merge pull request #2230 from bookwyrm-social/nginx-rate-limit · bookwyrm-social/bookwyrm@7bbe42f
BookWyrm is a social network for tracking reading. Versions prior to 0.4.5 were found to lack rate limiting on authentication views which allows brute-force attacks. This issue has been patched in version 0.4.5. Admins with existing instances will need to update their nginx.conf
file that was created when the instance was set up. Users are advised advised to upgrade. Users unable to upgrade may update their nginx.conf files with the changes manually.
Permalink
Browse files
Merge pull request #2230 from bookwyrm-social/nginx-rate-limit
Adds rate limiting to some views in nginx
- Loading branch information
2 parents ed20587 + e1e6a2d commit 7bbe42fb30a79a26115524d18b697d895563c92f
Showing 3 changed files with 19 additions and 0 deletions.
- development
- production
- server_config
@@ -7,6 +7,15 @@ upstream web {
server {
listen 80;
location ~ ^/(login|password-reset|resend-link) {
limit_req zone=loginlimit;
proxy_pass http://web;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
location / {
proxy_pass http://web;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -41,6 +41,15 @@ server {
# root /var/www/certbot;
# }
# location ~ ^/(login|password-reset|resend-link) {
# limit_req zone=loginlimit;
# proxy_pass http://web;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_redirect off;
# }
# location / {
# proxy_pass http://web;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -1 +1,2 @@
client_max_body_size 10m;
limit_req_zone $binary_remote_addr zone=loginlimit:10m rate=1r/s;
1 comment on commit 7bbe42f
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mouse-reeve maintainer pls confirm are you happy to assign a CVE for this, then only hunter.dev admin can move further
Please sign in to comment.