fossilfranv/nginx_docker-swag
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

authelia-server.conf: allow pipe character in URI

Browse Source 
The characters in the regex used for mitigating CVE-2021-32637 are not
exhaustive since query strings seem to not always conform to the
RFC3986, this is also mentioned in the security advisory for the CVE.[1]

For example, attempting to delete multiple torrents in the qBittorrent
WebUI results in an URL like the following:

    confirmdeletion.html?hashes=HASH1|HASH2

This URL is valid and parsable by Authelia, but due to the regex it gets
redirected infinitely.

To fix this, also allow pipe characters in the request URI.

[1] https://github.com/authelia/authelia/security/advisories/GHSA-68wm-pfjf-wqp6
This commit is contained in:
Gabriel Nagy 2022-02-16 10:50:32 +02:00
parent 274369c4ba
commit 7ffab2f1cb
No known key found for this signature in database
GPG Key ID: A2B2C9C0F6B672B3
3 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -330,6 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
## Versions ## Versions
* **16.02.22:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Allow pipe character in request URI
* **09.01.22:** - Added a fail2ban jail for nginx unauthorized * **09.01.22:** - Added a fail2ban jail for nginx unauthorized
* **21.12.21:** - Fixed issue with iptables not working as expected * **21.12.21:** - Fixed issue with iptables not working as expected
* **30.11.21:** - Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind) * **30.11.21:** - Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)

1
readme-vars.yml
View File

@ -154,6 +154,7 @@ app_setup_nginx_reverse_proxy_block: ""
# changelog # changelog
changelogs: changelogs:
- { date: "16.02.22:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Allow pipe character in request URI" }
- { date: "09.01.22:", desc: "Added a fail2ban jail for nginx unauthorized" } - { date: "09.01.22:", desc: "Added a fail2ban jail for nginx unauthorized" }
- { date: "21.12.21:", desc: "Fixed issue with iptables not working as expected" } - { date: "21.12.21:", desc: "Fixed issue with iptables not working as expected" }
- { date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)" } - { date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)" }

4
root/defaults/authelia-server.conf
View File

@ -1,4 +1,4 @@
## Version 2021/05/28 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf ## Version 2022/02/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
# Make sure that your authelia container is in the same user defined bridge network and is named authelia # Make sure that your authelia container is in the same user defined bridge network and is named authelia
location ^~ /authelia { location ^~ /authelia {
@ -10,7 +10,7 @@ location ^~ /authelia {
location = /authelia/api/verify { location = /authelia/api/verify {
internal; internal;
if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) { if ($request_uri ~ [^a-zA-Z0-9_+-=|\!@$%&*?~.:#'\;\(\)\[\]]) {
return 401; return 401;
} }
include /config/nginx/resolver.conf; include /config/nginx/resolver.conf;