A security vulnerability was recently discovered that would allow a malicious 
person to delete the contents of a history that does not belong to them.  The 
vulnerability was in a method designed to allow users to switch between 
histories as a convenience from certain messages and is not used for most 
normal history switching operations.  A fix has been provided in the stable 
branch of the Galaxy distribution and tagged as security_2013.04.08.  
Administrators are strongly encouraged to upgrade to at least the listed tag or 
to implement one of the provided workarounds. This changeset *is not* included 
in the most recent (April 1, 2013) stable release.

To upgrade:

  % hg pull
  % hg update security_2013.04.08

For Galaxy installations on relatively old versions that administrators are not 
yet ready to upgrade, there are two workarounds.  First, the patch can be 
downloaded and applied manually:

  % wget -o history.patch 

and then:

  % hg patch history.patch


  % patch -p1 < history.patch

In this case, the Galaxy server process(es) must be restarted for the change to 
take effect.

Second, access to this method via the upstream proxy server can be denied.  
Note that anyone with the ability to bypass the proxy server via directly 
connecting to the Galaxy application's web port(s) would still be able to call 
this method.  This is possible for anyone with direct login access to the 
server, or even remotely if the Galaxy application binds to all addresses 
(instead of just localhost) unless restricted by other means (e.g. a firewall).

For Apache:

<Location ~ "/history/switch_to_history.*">
   Deny from all

For nginx:

location ~ /history/switch_to_history.* {
   deny all;

If using a proxy prefix (e.g. "/galaxy"), that prefix should be prepended to 

Galaxy Team
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

To search Galaxy mailing lists use the unified search at:

Reply via email to