V3.9.3 patch not allowing media to be viewable

[twizzayy]

After upgrading to v3.9.3 everything located at 'sub.domain.tld/media' is returning a 404 error.

I tested removing different lines from the nginx config for my instance and restarting the nginx service.

The issue seems to be directly tied to the new 'location ~ ^/media' in the nginx config.

Media always returned a 404 as long as this location matched regardless of what was in the body of the block. Even if it was empty.

Removing the location block entirely made media viewable. But this nullifies the CSP rules for the patch which is obviously not ideal.

[lapineige]

I don't know how to fix this 🤔

[twizzayy]

I was able to fix this by moving the csp headers inside the location ~ ^/media block to the location ~ ^/(proxy|media) block.

My final nginx config ends like this:

rewrite ^/proxy/(.*)/(.*)/.* /proxy/$1/$2 last;

location ~ ^/(media|proxy) {
  proxy_cache akkoma_media_cache;
  proxy_cache_key    $host$uri$is_args$args;
  proxy_http_version 1.1;
  proxy_cache_valid  200 206 301 304 1h;
  proxy_cache_lock on;
  proxy_ignore_client_abort on;
  proxy_buffering on;
  chunked_transfer_encoding on;
  more_set_headers "Content-Security-Policy : script-src 'none'; default-src 'none'; upgrade-insecure-requests; base-uri 'none'; form-action 'none'; 'sandbox';";

  proxy_pass http://localhost:8095;
}

I added some stuff that seirdy said to add to make it a bit more bullet proof. Probably overkill. But whatever.

Verified that csp was working on csper.io.

I can make a PR for this tomorrow if desired.

[lapineige]

Please check the latest PR :)