Closed ghost closed 4 years ago
Sorry. I didn't see your merge request. So I copied the nginx config from the manual page to fix the CVE.
https://docs.nextcloud.com/server/18/admin_manual/installation/nginx.html
Just now I'm getting here a merge conflict about back slash quoting with the old code.
Do you know the correct spelling?
<<<<<<< cve-2019-11043-fix
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
=======
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
>>>>>>> master
Sorry. I didn't see your merge request. So I copied the nginx config from the manual page to fix the CVE.
https://docs.nextcloud.com/server/18/admin_manual/installation/nginx.html
Just now I'm getting here a merge conflict about back slash quoting with the old code.
Do you know the correct spelling?
<<<<<<< cve-2019-11043-fix location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; ======= location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; set $path_info $fastcgi_path_info; >>>>>>> master
I just followed the modifications in the link I sent in the PR. I will close this PR as it has now been solved 👍
This PR addresses the CVE-2019-11043 which requires changes to the nginx.conf file in order to mitigate.
More information can be found here: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/
Relates to #37