Protect against alias_traversal & httpoxy

README.md

@@ -17,5 +17,4 @@ sudo yunohost app install --url grav https://github.com/YunoHost-Apps/grav_ynh
 
 ## TODO
 
-[ ] fix alias_traversal
 [ ] send email to admin

check_process

@@ -41,4 +41,4 @@ Notification=all
 ;;; Upgrade options
 	; commit=8b79023a4fb3633b1a01e4ad4dafb41a5344c3fd
 		name=pre rebuild
-		manifest_arg=domain=DOMAIN&path=PATH&admin=USER&language=fr_FR&is_public="Yes"&
+		manifest_arg=domain=DOMAIN&path=PATH&admin=USER&language=fr_FR&is_public=PUBLIC&

conf/nginx.conf

@@ -1,4 +1,5 @@
-location __PATH__ {
+#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
+location __PATH__/ {
 		alias __FINALPATH__/;
 		index index.php;
 
@@ -33,6 +34,8 @@ location __PATH__ {
 			fastcgi_pass unix:/var/run/php/php7.0-fpm-__NAME__.sock;
 			fastcgi_index index.php;
 			include fastcgi_params;
+			# https://learn.getgrav.org/webservers-hosting/servers/nginx#fix-against-httpoxy-vulnerability
+			fastcgi_param HTTP_PROXY "";
 			fastcgi_param REMOTE_USER $remote_user;
 			fastcgi_param PATH_INFO $fastcgi_path_info;
 			fastcgi_param SCRIPT_FILENAME $request_filename;