From 7ffab2f1cbddaa93b0bc468657a663619903592d Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabrielnagy@me.com>
Date: Wed, 16 Feb 2022 10:50:32 +0200
Subject: [PATCH] authelia-server.conf: allow pipe character in URI

The characters in the regex used for mitigating CVE-2021-32637 are not
exhaustive since query strings seem to not always conform to the
RFC3986, this is also mentioned in the security advisory for the CVE.[1]

For example, attempting to delete multiple torrents in the qBittorrent
WebUI results in an URL like the following:

    confirmdeletion.html?hashes=HASH1|HASH2

This URL is valid and parsable by Authelia, but due to the regex it gets
redirected infinitely.

To fix this, also allow pipe characters in the request URI.

[1] https://github.com/authelia/authelia/security/advisories/GHSA-68wm-pfjf-wqp6
---
 README.md                          | 1 +
 readme-vars.yml                    | 1 +
 root/defaults/authelia-server.conf | 4 ++--
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 936f1a2..dcf2f29 100644
--- a/README.md
+++ b/README.md
@@ -330,6 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **16.02.22:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Allow pipe character in request URI
 * **09.01.22:** - Added a fail2ban jail for nginx unauthorized
 * **21.12.21:** - Fixed issue with iptables not working as expected
 * **30.11.21:** - Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)
diff --git a/readme-vars.yml b/readme-vars.yml
index a033ea4..2b337eb 100755
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -154,6 +154,7 @@ app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
+  - { date: "16.02.22:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Allow pipe character in request URI" }
   - { date: "09.01.22:", desc: "Added a fail2ban jail for nginx unauthorized" }
   - { date: "21.12.21:", desc: "Fixed issue with iptables not working as expected" }
   - { date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)" }
diff --git a/root/defaults/authelia-server.conf b/root/defaults/authelia-server.conf
index 8bd63d0..cf09338 100644
--- a/root/defaults/authelia-server.conf
+++ b/root/defaults/authelia-server.conf
@@ -1,4 +1,4 @@
-## Version 2021/05/28 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
+## Version 2022/02/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia
 
 location ^~ /authelia {
@@ -10,7 +10,7 @@ location ^~ /authelia {
 
 location = /authelia/api/verify {
     internal;
-    if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
+    if ($request_uri ~ [^a-zA-Z0-9_+-=|\!@$%&*?~.:#'\;\(\)\[\]]) {
         return 401;
     }
     include /config/nginx/resolver.conf;