Work around CVE-2018-12532

https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html

Change-Id: I2c6cd13e0aeb71e5bebc680568fdf9f6f0656b74

manifests/apache.pp

@@ -29,6 +29,12 @@ class zanata::apache (
   include ::httpd
   include ::httpd::ssl
 
+  if !defined(Httpd_mod['rewrite']) {
+    httpd_mod { 'rewrite':
+      ensure => present,
+    }
+  }
+
   httpd_mod { 'proxy':
     ensure => present,
   }

templates/zanata.vhost.erb

@@ -32,7 +32,11 @@
     SSLCertificateChainFile <%= scope.lookupvar("zanata::apache::ssl_chain_file") %>
   <% end -%>
 
+  # CVE-2018-12532 https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html
+  RewriteEngine on
+  RewriteRule .*(/DATA/|org\.richfaces\.resource\.MediaOutputResource).* - [F,L]
+
   ProxyPass / ajp://127.0.0.1:8009/ retry=0
 
 </VirtualHost>
-</IfModule>
+</IfModule>