Fix alias_traversal

conf/nginx.conf

@@ -1,4 +1,5 @@
-location __PATH__ {
+#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
+location __PATH__/ {
 	alias __FINALPATH__/;
 
 	if ($scheme = http) {

scripts/_common.sh

@@ -454,6 +454,11 @@ EOF
 	ynh_store_file_checksum "$finalfail2banfilterconf"
 
 	sudo systemctl restart fail2ban
+	if local fail2ban_error="$(tail -n50 /var/log/fail2ban.log | grep "WARNING Command.*$app.*addfailregex")"
+	then
+		echo "[ERR] Fail2ban fail to load the jail for $app" >&2
+		echo "WARNING${fail2ban_error#*WARNING}" >&2
+	fi
 }
 
 # Remove the dedicated fail2ban config (jail and filter conf files)

scripts/_sed

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# https://github.com/YunoHost/yunohost/pull/394
+
+# Substitute/replace a string (or expression) by another in a file
+#
+# usage: ynh_replace_string match_string replace_string target_file
+# | arg: match_string - String to be searched and replaced in the file
+# | arg: replace_string - String that will replace matches
+# | arg: target_file - File in which the string will be replaced.
+#
+# As this helper is based on sed command, regular expressions and
+# references to sub-expressions can be used
+# (see sed manual page for more information)
+ynh_replace_string () {
+	local delimit=@
+	local match_string=$1
+	local replace_string=$2
+	local workfile=$3
+
+	# Escape the delimiter if it's in the string.
+	match_string=${match_string//${delimit}/"\\${delimit}"}
+	replace_string=${replace_string//${delimit}/"\\${delimit}"}
+
+	sudo sed --in-place "s${delimit}${match_string}${delimit}${replace_string}${delimit}g" "$workfile"
+}
+
+# Substitute/replace a password by another in a file
+#
+# usage: ynh_replace_password_string match_string replace_string target_file
+# | arg: match_string - String to be searched and replaced in the file
+# | arg: replace_string - String that will replace matches
+# | arg: target_file - File in which the string will be replaced.
+#
+# This helper will use ynh_replace_string, but as you can use special
+# characters, you can't use some regular expressions and sub-expressions.
+ynh_replace_password_string () {
+	local match_string=$1
+	local replace_string=$2
+	local workfile=$3
+
+	# Escape any backslash to preserve them as simple backslash.
+	match_string=${match_string//\\/"\\\\"}
+	replace_string=${replace_string//\\/"\\\\"}
+
+	# Escape the & character, who has a special function in sed.
+	match_string=${match_string//&/"\&"}
+	replace_string=${replace_string//&/"\&"}
+
+	ynh_replace_string "$match_string" "$replace_string" "$workfile"
+}

scripts/change_url

@@ -8,6 +8,7 @@
 
 source _common.sh
 source /usr/share/yunohost/helpers
+source _sed
 
 #=================================================
 # RETRIEVE ARGUMENTS
@@ -64,7 +65,20 @@ nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf
 # Change the path in the nginx config file
 if [ $change_path -eq 1 ]
 then
-	ynh_replace_string "location $old_path" "location $new_path" "$nginx_conf_path"
+
+	# Move from sub path to root
+	if [ "$new_path" == "/" ]
+	then
+		ynh_replace_string "^ *rewrite.*\^$old_path" "#sub_path_only&" "$nginx_conf_path"
+		ynh_replace_string "\(rewrite *\^\)$old_path\$ $old_path/*" "\1$new_path$ $new_path" "$nginx_conf_path"
+
+	# Move to a sub path
+	else
+		ynh_replace_string "^#sub_path_only" "" "$nginx_conf_path"
+		ynh_replace_string "\(rewrite *\^\)$old_path\$ $old_path/*" "\1$new_path$ $new_path/" "$nginx_conf_path"
+	fi
+
+	ynh_replace_string "location ${old_path%/}/" "location ${new_path%/}/" "$nginx_conf_path"
 fi
 
 # Change the domain for nginx

scripts/install

@@ -94,6 +94,10 @@ ynh_setup_source "$final_path" admin_dashboard
 # NGINX CONFIGURATION
 #=================================================
 
+if [ "$path_url" != "/" ]
+then
+	ynh_replace_string "^#sub_path_only" "" "../conf/nginx.conf"
+fi
 ynh_add_nginx_config
 
 #=================================================

scripts/upgrade

@@ -63,6 +63,10 @@ ynh_setup_source "$final_path" admin_dashboard
 # NGINX CONFIGURATION
 #=================================================
 
+if [ "$path_url" != "/" ]
+then
+	ynh_replace_string "^#sub_path_only" "" "../conf/nginx.conf"
+fi
 ynh_add_nginx_config
 
 #=================================================