nginx config tweak for PATH_INFO

[pgeorgi]

The recommended handling of php in nginx includes "try_files $uri =404;", which matches exact file names, so /uploads/somelegal.git/with-malicious-code.php doesn't lead to code execution. Unfortunately that breaks with /remote.php/some-more-path-elements.

The following nginx configuration allows for the try_files test and PATH_INFO to be set correctly. This depend on __internal_path to never be used by owncloud itself.

    error_page 403 = /core/templates/403.php;
    error_page 404 = /core/templates/404.php;

    location /  {
            index index.php;
            try_files $uri $uri/ =404;

            rewrite /.well-known/host-meta /public.php?service=host-meta;
            rewrite /.well-known/carddav /remote.php/carddav/;
            rewrite /.well-known/caldav /remote.php/caldav/;
            rewrite /apps/calendar/caldav.php /remote.php/caldav/;
            rewrite /apps/contacts/carddav.php /remote.php/carddav/;
            rewrite /apps/([^/]*)/(.*\.(css|php))$ /index.php?app=$1&getfile=$2;

            rewrite /remote/(.*)$ /remote.php/$1;
    }

    location ~ ^/(config|data|db_structure\.xml|README) {
            deny all;
    }

    location ~* \.php$ {
            try_files $uri =404;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
            fastcgi_param  PATH_INFO          $path_info;
    }

    location /remote.php/ {
            rewrite /remote.php(/.*)$ /remote.php?__internal_path=$1;
            if ($args ~ (?:^|(&))__internal_path=(.+)($|&)) {
                    set $path_info $2;
            }
    }

[LukasReschke]

Opened an issue on the documentation repository.

Thanks!