The characters in the regex used for mitigating CVE-2021-32637 are not
exhaustive since query strings seem to not always conform to the
RFC3986, this is also mentioned in the security advisory for the CVE.[1]
For example, attempting to delete multiple torrents in the qBittorrent
WebUI results in an URL like the following:
confirmdeletion.html?hashes=HASH1|HASH2
This URL is valid and parsable by Authelia, but due to the regex it gets
redirected infinitely.
To fix this, also allow pipe characters in the request URI.
[1] https://github.com/authelia/authelia/security/advisories/GHSA-68wm-pfjf-wqp6
7ffab2f1cb