From 97e332e8094c3fec2efdc07126f1e3597e86831c Mon Sep 17 00:00:00 2001
From: Ralf Becker <RalfBecker@outdoor-training.de>
Date: Wed, 15 Jan 2020 21:50:25 +0100
Subject: [PATCH] return 404 instead of 403 for accessing PHP in blacklisted
 folders and remove doublicate SCRIPT_FILENAME

---
 doc/docker/development/nginx.conf | 3 +--
 doc/docker/nginx.conf             | 3 +--
 doc/rpm-build/nginx.conf          | 5 ++++-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/doc/docker/development/nginx.conf b/doc/docker/development/nginx.conf
index 39655336d5..c3b58051c1 100644
--- a/doc/docker/development/nginx.conf
+++ b/doc/docker/development/nginx.conf
@@ -34,7 +34,7 @@ server {
 		location ~ ^/egroupware(/(?U).+\.php) {
 			# do not allow to call files ment to be included only
 			#location ~ ^$path/(vendor|[^/]+/(src|setup|inc))/ {
-			#	return 403;
+			#	return 404;
 			#}
 			alias  /var/www/egroupware;
 			fastcgi_pass fpm;
@@ -42,7 +42,6 @@ server {
 			fastcgi_read_timeout 60m;
 			fastcgi_index  index.php;
 			fastcgi_split_path_info ^((?U).+\.php)(.*)$;
-			fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
 			fastcgi_param  PATH_INFO          $fastcgi_path_info;
 			fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;
 			# standard Nginx
diff --git a/doc/docker/nginx.conf b/doc/docker/nginx.conf
index 62c3b9fd6c..935428f4e0 100644
--- a/doc/docker/nginx.conf
+++ b/doc/docker/nginx.conf
@@ -43,7 +43,7 @@ server {
 		location ~ ^/egroupware(/(?U).+\.php) {
 			# do not allow to call files ment to be included only
 			location ~ ^$path/(vendor|[^/]+/(src|setup|inc))/ {
-				return 403;
+				return 404;
 			}
 			alias  /usr/share/egroupware;
 			fastcgi_pass fpm;
@@ -51,7 +51,6 @@ server {
 			fastcgi_read_timeout 60m;
 			fastcgi_index  index.php;
 			fastcgi_split_path_info ^((?U).+\.php)(.*)$;
-			fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
 			fastcgi_param  PATH_INFO          $fastcgi_path_info;
 			fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;
 			# standard Nginx
diff --git a/doc/rpm-build/nginx.conf b/doc/rpm-build/nginx.conf
index 7bed9b1504..a6c3f95e8c 100644
--- a/doc/rpm-build/nginx.conf
+++ b/doc/rpm-build/nginx.conf
@@ -40,13 +40,16 @@ server {
 		alias  /usr/share/egroupware/;
 		try_files $uri $uri/ =404;
 		location ~ ^/egroupware(/(?U).+\.php) {
+			# do not allow to call files ment to be included only
+			location ~ ^/egroupware/(vendor|[^/]+/(src|setup|inc))/ {
+				return 404;
+			}
 			alias  /usr/share/egroupware;
 			fastcgi_pass unix:/run/php/php7.0-fpm.sock;
 			# added to support WebDAV/CalDAV/CardDAV
 			fastcgi_read_timeout 60m;
 			fastcgi_index  index.php;
 			fastcgi_split_path_info ^((?U).+\.php)(.*)$;
-			fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
 			fastcgi_param  PATH_INFO          $fastcgi_path_info;
 			fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;
 			# standard Nginx