!
Hubzilla Support ForumGixy shows HTTP-Splitting vulnerability in the nginx.conf.
==================== Results ===================
>> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" or "\r" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
Reason: At least variable "$uri" can contain "\n"
Pseudo config:
location / {
if ($is_args != ) {
rewrite ^/(.*) /index.php?q=$uri&$args last;
}
rewrite ^/(.*) /index.php?q=$uri last;
}
location ^~ /.well-known/ {
rewrite ^/(.*) /index.php?q=$uri&$args last;
}
Started a github issue :
#^https://github.com/redmatrix/hubzilla/issues/1155Replacing $uri to $request_uri broke my instance. Can people using nginx confirm the same result ?