Цитата:В XMLUI нашли дырку размером с... ну в общем большую! Всем срочно обновляться. дырка есть везде, от 1.8 до 5.4 версии!
Спасибо, пока присели. Ждем когда появится затычка.
Simply find the root sitemap (usually at [dspace]/webapps/xmlui/sitemap.xmap) and add the following:
<!-- Temporary block -->
<!-- Internally redirect all vulnerable URLs to /error (which doesn't exist and throws a 404) -->
<map:match pattern="themes/**:**">
<map:redirect-to uri="{request:contextPath}/error" permanent="yes"/>
</map:match>
<!-- NOTE: the above section should be added just BEFORE this next following section (which exists around line #623-625) -->
<!-- handle common theme resources, such as dri2xhtml -->
<map:match pattern="themes/*">
<map:read src="themes/{1}"/>
</map:match>
The change will take effect immediately. Any of the vulnerable URLs will be redirected to "/error" (which doesn't exist in DSpace, and will cause DSpace to simply return a 404 Page Not Found error).
To verify the quick fix is working, visit a URL like: http://[dspace.url]/themes/Reference/test:url (Be sure to test both HTTP and HTTPS). The URL should be redirected to [dspace.url]/error/ and a Page Cannot be Found response returned. As long as this occurs, the quick fix was successful.