Nginx security issue CVE-2019-11043

ReinerNippes · Feb 6, 2020 · 0adf67b · 0adf67b
1 parent f7a88d8
commit 0adf67b
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/roles/docker_container/templates/nginx.conf.j2 b/roles/docker_container/templates/nginx.conf.j2
@@ -152,7 +152,7 @@ http {
         #pagespeed off;
 
         location / {
-            rewrite ^ /index.php$request_uri;
+            rewrite ^ /index.php;
         }
 
         location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
@@ -162,14 +162,17 @@ http {
             deny all;
         }
 
-        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
-            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+            set $path_info $fastcgi_path_info;
+            try_files $fastcgi_script_name =404;
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $fastcgi_path_info;
+            fastcgi_param PATH_INFO $path_info;
             fastcgi_param HTTPS on;
-            #Avoid sending the security headers twice
+            # Avoid sending the security headers twice
             fastcgi_param modHeadersAvailable true;
+            # Enable pretty urls
             fastcgi_param front_controller_active true;
             fastcgi_pass php-handler;
             fastcgi_intercept_errors on;