Drupal 10, the latest version of the open-source digital experience platform with even more features, is here.The nginx configuration causes any URL with a ";" to be 403 (access denied). This is a bit over-zealous, considering buggy email readers will convert an ampersand (&) to &.
http/Provision/Config/Nginx/server.tpl.php
map $args $is_denied {
default '';
- ~*delete.+from|insert.+into|select.+from|union.+select|onload|\.php.+src|system\(.+|document\.cookie|\;|\.\. is_denied;
+ ~*delete.+from|insert.+into|select.+from|union.+select|onload|\.php.+src|system\(.+|document\.cookie|\.\. is_denied;
}
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | 0001-Issue-2667210-relax-zealous-security-checks-allow-se.patch | 956 bytes | bgm |
Comments
Comment #2
bgm CreditAttribution: bgm commentedpatch
Comment #3
omega8cc CreditAttribution: omega8cc commentedIt is here by design. Removing protection like this is not a solution, though, if you don't like it. We should perhaps move the configuration which depends on this regex to
<?php if ($nginx_config_mode == 'extended'): ?>Comment #4
omega8cc CreditAttribution: omega8cc commentedComment #5
omega8cc CreditAttribution: omega8cc commentedChange committed.
Comment #6
bgm CreditAttribution: bgm commentedI think it's debatable for the ";" in URLs, but the fix you committed in provision works for me, and I do appreciate that the nginx configuration comes with "batteries included".
Comment #7
omega8cc CreditAttribution: omega8cc commentedMost of the time the
";"in URLs (args) is a malicious attempt to trick the server into downloading and executing some evil code. The "buggy email readers" problem is a very low price for this protection, and thus the protection shouldn't be removed, but of course it belongs to the 'extended' config mode.Thanks for bringing this to our attention!
Comment #8
omega8cc CreditAttribution: omega8cc commentedIndeed, it was a bug and not a feature request.
Comment #9
omega8cc CreditAttribution: omega8cc commentedMoving this to the correct queue.