From 6787c7c0d76805a3635c20f8b1ec22ccfd33b6a5 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 22 Jan 2024 22:37:10 +0100
Subject: [PATCH] Use $request_uri instead of $uri, since $uri allows for
 injection

Thanks NixOS for pointing that out! :3
Also see here for an explanation:
https://reversebrain.github.io/2021/03/29/The-story-of-Nginx-and-uri-variable/
---
 .../configs/wiki/nginx/wiki.hamburg.ccc.de.conf        | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf b/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
index 814a553..fd4e10c 100644
--- a/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
+++ b/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
@@ -46,7 +46,7 @@ server {
         expires 365d;
     }
 
-    location / { try_files $uri $uri/ @dokuwiki; }
+    location / { try_files $request_uri $request_uri/ @dokuwiki; }
 
     location @dokuwiki {
         # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page
@@ -57,7 +57,7 @@ server {
     }
 
     location ~ \.php$ {
-        try_files $uri $uri/ /doku.php;
+        try_files $request_uri $request_uri/ /doku.php;
         include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param REDIRECT_STATUS 200;
@@ -72,14 +72,14 @@ server {
     }
 
     location /ChaosVPN {
-        return 302 https://oldwiki.hamburg.ccc.de$uri;
+        return 302 https://oldwiki.hamburg.ccc.de$request_uri;
     }
 
     location ~ /EH(07|09|11) {
-        return 302 https://oldwiki.hamburg.ccc.de$uri;
+        return 302 https://oldwiki.hamburg.ccc.de$request_uri;
     }
 
     location /Easter {
-        return 302 https://oldwiki.hamburg.ccc.de$uri;
+        return 302 https://oldwiki.hamburg.ccc.de$request_uri;
     }
 }