If you visit /mail_auth.md or any thing else that starts with /mail_auth and ends with .md the nginx regex that scans for paths ending in .md will forward it to orbit, but then the orbit regex that scans for paths starting with /mail_auth will be checked before the "ends in .md" one is checked.
This means that mail_auth which should be an internal only route is actually accessible externally. In theory you could use this route to brute force credentials, but isn't like /login is more hardened against that, so this isn't really a serious issue, just an unintended consequence of having two places where we deal with regexes to filter paths.
If you visit
/mail_auth.mdor any thing else that starts with/mail_authand ends with.mdthe nginx regex that scans for paths ending in.mdwill forward it to orbit, but then the orbit regex that scans for paths starting with/mail_authwill be checked before the "ends in.md" one is checked.This means that
mail_authwhich should be an internal only route is actually accessible externally. In theory you could use this route to brute force credentials, but isn't like/loginis more hardened against that, so this isn't really a serious issue, just an unintended consequence of having two places where we deal with regexes to filter paths.