From 9cb1228294e248e82f701093cb983c1317ee65c0 Mon Sep 17 00:00:00 2001 From: David Timber Date: Sun, 6 Apr 2025 19:10:09 +0200 Subject: Fix $uri bug in writeups/cgit/cgit.md Regex capture groups returned from Nginx's `set` directive are not "normalized". As a result, the cgit backend was getting undecoded PATH_INFO, rendering some files with special characters inaccessible and some web crawlers recursively accessing broken links(%25252525 ...) - https://serverfault.com/questions/832040/how-can-i-block-all-head-requests-to-urls-that-contain-a-substring-on-apache - https://nginx.org/en/docs/http/ngx_http_core_module.html#var_uri --- writeups/cgit/cgit.md | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'writeups') diff --git a/writeups/cgit/cgit.md b/writeups/cgit/cgit.md index 8bd4c19..362a295 100644 --- a/writeups/cgit/cgit.md +++ b/writeups/cgit/cgit.md @@ -188,27 +188,24 @@ location /cgit { gzip on; # not required for subdomain - if ( $uri ~* ^/cgit(/.*)?$ ) { - set $uri_new $1; - } + rewrite ^/git$ /git/ permanent; + rewrite ^/git/(.*)?$ /$1 break; include fastcgi_params; fastcgi_param SCRIPT_FILENAME /var/www/cgi-bin/cgit; - # change to $uri if subdomain - fastcgi_param PATH_INFO $uri_new; + fastcgi_param PATH_INFO $uri; fastcgi_param QUERY_STRING $args; fastcgi_param HTTP_HOST $server_name; fastcgi_pass unix:/run/fcgiwrap/fcgiwrap-cgit.sock; location ~ /cgit/.+/(info/refs|git-upload-pack) { # not required for subdomain - if ( $uri ~* ^/cgit(/.*)?$ ) { - set $uri_new $1; - } + rewrite ^/git$ /git/ permanent; + rewrite ^/git/(.*)?$ /$1 break; + include fastcgi_params; fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend; - # change to $uri if subdomain - fastcgi_param PATH_INFO $uri_new; + fastcgi_param PATH_INFO $uri; fastcgi_param GIT_HTTP_EXPORT_ALL 1; fastcgi_param GIT_PROJECT_ROOT /srv/git; fastcgi_param HOME /srv/git; -- cgit v1.2.3-70-g09d2