From 497ea5f000f09f2fc5279bc0672b542934a911bc Mon Sep 17 00:00:00 2001
From: Ralf Becker <RalfBecker@outdoor-training.de>
Date: Wed, 30 Oct 2019 13:33:55 +0100
Subject: [PATCH] * Docker: do not allow to call php files ment to be included
 only (src, setup, inc or vendor directories)

---
 doc/docker/nginx.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/doc/docker/nginx.conf b/doc/docker/nginx.conf
index 333f38e910..192ecbc278 100644
--- a/doc/docker/nginx.conf
+++ b/doc/docker/nginx.conf
@@ -35,6 +35,10 @@ server {
 		alias  /usr/share/egroupware/;
 		try_files $uri $uri/ =404;
 		location ~ ^/egroupware(/(?U).+\.php) {
+			# do not allow to call files ment to be included only
+			location ~ /(src|setup|inc|vendor)/ {
+				return 403;
+			}
 			alias  /usr/share/egroupware;
 			fastcgi_pass fpm;
 			# added to support WebDAV/CalDAV/CardDAV