fossilfranv/nginx_docker-swag
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7ffab2f1cb
nginx_docker-swag/root
History
Gabriel Nagy 7ffab2f1cb
authelia-server.conf: allow pipe character in URI 
The characters in the regex used for mitigating CVE-2021-32637 are not
exhaustive since query strings seem to not always conform to the
RFC3986, this is also mentioned in the security advisory for the CVE.[1]

For example, attempting to delete multiple torrents in the qBittorrent
WebUI results in an URL like the following:

    confirmdeletion.html?hashes=HASH1|HASH2

This URL is valid and parsable by Authelia, but due to the regex it gets
redirected infinitely.

To fix this, also allow pipe characters in the request URI.

[1] https://github.com/authelia/authelia/security/advisories/GHSA-68wm-pfjf-wqp6
2022-02-16 10:58:12 +02:00
..
app update conf name in scripts 2020-12-10 13:37:53 -05:00
defaults authelia-server.conf: allow pipe character in URI 2022-02-16 10:58:12 +02:00
etc Move maxmind to a new mod 2021-12-04 20:57:16 +02:00
donate.txt initial release 2020-08-03 11:00:14 -04:00