From 5300f381b000417027c148f1de6596324fbca814 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 16 Oct 2024 15:37:44 +0200 Subject: [PATCH] nginx: use safer request_uri variable Fix >> Problem: [http_splitting] Possible HTTP-Splitting vulnerability. https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md --- modules/nginx-mastodon-files/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nginx-mastodon-files/default.nix b/modules/nginx-mastodon-files/default.nix index a4ddca4e..8a62d359 100644 --- a/modules/nginx-mastodon-files/default.nix +++ b/modules/nginx-mastodon-files/default.nix @@ -44,7 +44,7 @@ in proxy_hide_header x-amz-bucket-region; proxy_hide_header x-amzn-requestid; proxy_ignore_headers Set-Cookie; - proxy_pass $s3_backend$uri; + proxy_pass $s3_backend$request_uri; proxy_intercept_errors off; proxy_ssl_protocols TLSv1.2 TLSv1.3; proxy_ssl_server_name on;