If you visit /mail_auth.md or any thing else that starts with /mail_auth and ends with .md the nginx regex that scans for paths ending in .md will forward it to orbit, but then the orbit regex that scans for paths starting with /mail_auth will be checked before the "ends in .md" one is checked.
This means that mail_auth which should be an internal only route is actually accessible externally. In theory you could use this route to brute force credentials, but isn't like /login is more hardened against that, so this isn't really a serious issue, just an unintended consequence of having two places where we deal with regexes to filter paths.
If you visit
/mail_auth.md
or any thing else that starts with/mail_auth
and ends with.md
the nginx regex that scans for paths ending in.md
will forward it to orbit, but then the orbit regex that scans for paths starting with/mail_auth
will be checked before the "ends in.md
" one is checked.This means that
mail_auth
which should be an internal only route is actually accessible externally. In theory you could use this route to brute force credentials, but isn't like/login
is more hardened against that, so this isn't really a serious issue, just an unintended consequence of having two places where we deal with regexes to filter paths.