From 7079b3031692b113343ee017d73919a357d98aae Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Fri, 5 Jun 2020 11:46:50 +0200 Subject: [PATCH] disallow access to vendor directory of apps --- doc/docker/nginx.conf | 2 +- doc/rpm-build/nginx.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/docker/nginx.conf b/doc/docker/nginx.conf index 5749c42073..28c5ea3389 100644 --- a/doc/docker/nginx.conf +++ b/doc/docker/nginx.conf @@ -42,7 +42,7 @@ server { try_files $uri $uri/ =404; location ~ ^/egroupware(/(?U).+\.php) { # do not allow to call files ment to be included only - location ~ ^$path/(vendor|[^/]+/(src|setup|inc))/ { + location ~ ^$path/(vendor|[^/]+/(src|setup|inc|vendor))/ { return 404; } alias /usr/share/egroupware; diff --git a/doc/rpm-build/nginx.conf b/doc/rpm-build/nginx.conf index a6c3f95e8c..d0d7da3fc5 100644 --- a/doc/rpm-build/nginx.conf +++ b/doc/rpm-build/nginx.conf @@ -41,7 +41,7 @@ server { try_files $uri $uri/ =404; location ~ ^/egroupware(/(?U).+\.php) { # do not allow to call files ment to be included only - location ~ ^/egroupware/(vendor|[^/]+/(src|setup|inc))/ { + location ~ ^/egroupware/(vendor|[^/]+/(src|setup|inc|vendor))/ { return 404; } alias /usr/share/egroupware;