The characters in the regex used for mitigating CVE-2021-32637 are not
exhaustive since query strings seem to not always conform to the
RFC3986, this is also mentioned in the security advisory for the CVE.[1]
For example, attempting to delete multiple torrents in the qBittorrent
WebUI results in an URL like the following:
confirmdeletion.html?hashes=HASH1|HASH2
This URL is valid and parsable by Authelia, but due to the regex it gets
redirected infinitely.
To fix this, also allow pipe characters in the request URI.
[1] https://github.com/authelia/authelia/security/advisories/GHSA-68wm-pfjf-wqp6
This adds newer remote credential information from the auth_request headers sent by Authelia, Remote-Name includes the users display name, and Remote-Email includes their email. Additionally it sets the X-Forwarded-Method header to the original $request_method detected by nginx, which is used for the new acl rule method filter.
