Use $request_uri instead of $uri, since $uri allows for injection

Thanks NixOS for pointing that out! :3
Also see here for an explanation:
https://reversebrain.github.io/2021/03/29/The-story-of-Nginx-and-uri-variable/
This commit is contained in:
June 2024-01-22 22:37:10 +01:00
parent 98906db4bf
commit 6787c7c0d7

View file

@ -46,7 +46,7 @@ server {
expires 365d;
}
location / { try_files $uri $uri/ @dokuwiki; }
location / { try_files $request_uri $request_uri/ @dokuwiki; }
location @dokuwiki {
# rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page
@ -57,7 +57,7 @@ server {
}
location ~ \.php$ {
try_files $uri $uri/ /doku.php;
try_files $request_uri $request_uri/ /doku.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
@ -72,14 +72,14 @@ server {
}
location /ChaosVPN {
return 302 https://oldwiki.hamburg.ccc.de$uri;
return 302 https://oldwiki.hamburg.ccc.de$request_uri;
}
location ~ /EH(07|09|11) {
return 302 https://oldwiki.hamburg.ccc.de$uri;
return 302 https://oldwiki.hamburg.ccc.de$request_uri;
}
location /Easter {
return 302 https://oldwiki.hamburg.ccc.de$uri;
return 302 https://oldwiki.hamburg.ccc.de$request_uri;
}
}