[Nginx] HTTP-Splitting vulnerability

  
!Hubzilla Support Forum
Gixy shows HTTP-Splitting vulnerability in the nginx.conf.


==================== Results ===================

>> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" or "\r" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
Reason: At least variable "$uri" can contain "\n"
Pseudo config:

location / {

    if ($is_args != ) {
        rewrite ^/(.*) /index.php?q=$uri&$args last;
    }
    rewrite ^/(.*) /index.php?q=$uri last;
}

location ^~ /.well-known/ {
    rewrite ^/(.*) /index.php?q=$uri&$args last;
}

Started a github issue : https://github.com/redmatrix/hubzilla/issues/1155
Replacing $uri to $request_uri  broke my instance. Can people using nginx confirm the same result ?
  
I have changed to this and its working. I will test more if everything works as usual.

What about:

location ^~ /.well-known/ {
    rewrite ^/(.*) /index.php?q=$uri&$args last;
}


Gixy still gives me warning for this.
  
@Mario Vavti
Thanks for the commit.