Skip to content

unsafe nginx config #5117

Description

@p3x-robot

It is easy.
Your error:

root@server:~/server-scripts# gixy
[nginx_parser]	WARNING	File not found: /etc/nginx/conf.d/*.conf

==================== Results ===================

Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
Reason: At least variable "$uri" can contain "\n"
Pseudo config:
include /etc/nginx/sites-enabled/sync.patrikx3.tk;

	server {
		server_name sync.patrikx3.tk;

		location / {
			rewrite ^ /index.php$uri;
		}
	}


==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 0
    High: 1

Just do not use $uri for NGINX, use $request_uri;

For use like this:

  location / {
        rewrite ^ /index.php$request_uri;
    }

Metadata

Metadata

Assignees

No one assigned

    Labels

    0. Needs triagePending check for reproducibility or if it fits our roadmap

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions