From b9e0dfb82cc8dba086293cf8ca27773e0c7eb2c1 Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Tue, 10 May 2022 15:27:10 +1000
Subject: [PATCH 1/2] fix: missing chars in authelia server 401

---
 root/defaults/authelia-server.conf | 2 +-
 root/etc/cont-init.d/50-config     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/root/defaults/authelia-server.conf b/root/defaults/authelia-server.conf
index 8bd63d07..5a2c36c1 100644
--- a/root/defaults/authelia-server.conf
+++ b/root/defaults/authelia-server.conf
@@ -10,7 +10,7 @@ location ^~ /authelia {
 
 location = /authelia/api/verify {
     internal;
-    if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
+    if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]])\{\} {
         return 401;
     }
     include /config/nginx/resolver.conf;
diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config
index 9401ee00..8144fc15 100644
--- a/root/etc/cont-init.d/50-config
+++ b/root/etc/cont-init.d/50-config
@@ -109,7 +109,7 @@ fi
 
 # patch authelia-server.conf for CVE-2021-32637
 if ! grep -q 'if ($request_uri ~' /config/nginx/authelia-server.conf; then
-    sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]]) { return 401; }' /config/nginx/authelia-server.conf
+    sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]])\\{\\} { return 401; }' /config/nginx/authelia-server.conf
 fi
 
 # copy pre-generated dhparams or generate if needed

From 6e7fe8354b9235cf8007ebae5d399f671e41178c Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Tue, 10 May 2022 22:37:03 +1000
Subject: [PATCH 2/2] fix: incorrect syntax

---
 root/defaults/authelia-server.conf | 2 +-
 root/etc/cont-init.d/50-config     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/root/defaults/authelia-server.conf b/root/defaults/authelia-server.conf
index 5a2c36c1..1f5c547a 100644
--- a/root/defaults/authelia-server.conf
+++ b/root/defaults/authelia-server.conf
@@ -10,7 +10,7 @@ location ^~ /authelia {
 
 location = /authelia/api/verify {
     internal;
-    if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]])\{\} {
+    if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]\{\}]) {
         return 401;
     }
     include /config/nginx/resolver.conf;
diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config
index 8144fc15..1d6b25d0 100644
--- a/root/etc/cont-init.d/50-config
+++ b/root/etc/cont-init.d/50-config
@@ -109,7 +109,7 @@ fi
 
 # patch authelia-server.conf for CVE-2021-32637
 if ! grep -q 'if ($request_uri ~' /config/nginx/authelia-server.conf; then
-    sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]])\\{\\} { return 401; }' /config/nginx/authelia-server.conf
+    sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]\\{\\}]) { return 401; }' /config/nginx/authelia-server.conf
 fi
 
 # copy pre-generated dhparams or generate if needed