From b4b83eca41f9f782188133b7b1ac7e483924684a Mon Sep 17 00:00:00 2001
From: anmol26s <anmol@datamol.org>
Date: Sat, 5 May 2018 13:31:19 +0530
Subject: [PATCH] Futher fixed [Nginx] HTTP-Splitting vulnerability

---
 conf/nginx.conf | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/conf/nginx.conf b/conf/nginx.conf
index f375096f..efa84d83 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -31,17 +31,19 @@
   # by denying dot files and rewrite request to the front controller
   location ^~ /.well-known/ {
     allow all;
-    rewrite ^/(.*) /index.php?q=$uri&$args last;
+    if (!-e $request_filename) {
+      rewrite ^(.*)$ /index.php?q=$1;
+    }
   }
 
   # statically serve these file types when possible
   # otherwise fall back to front controller
   # allow browser to cache them
   # added .htm for advanced source code editor library
-  location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|map|ttf|woff|woff2|svg)$ {
-    expires 30d;
-    try_files $uri /index.php?q=$uri&$args;
-  }
+  #location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|map|ttf|woff|woff2|svg)$ {
+  #  expires 30d;
+  #  try_files $uri /index.php?q=$uri&$args;
+  # }
   
   # block these file types
   location ~* \.(tpl|md|tgz|log|out)$ {