From f92b84bd94f44bd32b4c6b799262a6e5d21f60fb Mon Sep 17 00:00:00 2001
From: ljf <ljf+git@grimaud.me>
Date: Thu, 3 Sep 2020 22:27:46 +0200
Subject: [PATCH 1/2] [fix] SSO unavailable

---
 data/templates/nginx/plain/yunohost_sso.conf.inc | 5 +++++
 data/templates/nginx/server.tpl.conf             | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 data/templates/nginx/plain/yunohost_sso.conf.inc

diff --git a/data/templates/nginx/plain/yunohost_sso.conf.inc b/data/templates/nginx/plain/yunohost_sso.conf.inc
new file mode 100644
index 000000000..cb3c5453d
--- /dev/null
+++ b/data/templates/nginx/plain/yunohost_sso.conf.inc
@@ -0,0 +1,5 @@
+# Avoid the nginx path/alias traversal weakness ( #1037 )
+rewrite ^/yunohost/sso$ /yunohost/sso/ permanent;
+
+location /yunohost/sso/ {
+}
diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf
index 29af9f532..8bd689a92 100644
--- a/data/templates/nginx/server.tpl.conf
+++ b/data/templates/nginx/server.tpl.conf
@@ -14,7 +14,7 @@ server {
 
     include /etc/nginx/conf.d/{{ domain }}.d/*.conf;
 
-    location /yunohost/admin {
+    location /yunohost {
         return 301 https://$http_host$request_uri;
     }
 
@@ -60,6 +60,7 @@ server {
 
     include /etc/nginx/conf.d/{{ domain }}.d/*.conf;
 
+    include /etc/nginx/conf.d/yunohost_sso.conf.inc;
     include /etc/nginx/conf.d/yunohost_admin.conf.inc;
     include /etc/nginx/conf.d/yunohost_api.conf.inc;
 

From cc4db7a6f621aaf918c7729c20899f8ca91c4663 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Thu, 3 Sep 2020 23:47:24 +0200
Subject: [PATCH 2/2] Add a comment explaining why the location is empty

---
 data/templates/nginx/plain/yunohost_sso.conf.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/data/templates/nginx/plain/yunohost_sso.conf.inc b/data/templates/nginx/plain/yunohost_sso.conf.inc
index cb3c5453d..308e5a9a4 100644
--- a/data/templates/nginx/plain/yunohost_sso.conf.inc
+++ b/data/templates/nginx/plain/yunohost_sso.conf.inc
@@ -2,4 +2,6 @@
 rewrite ^/yunohost/sso$ /yunohost/sso/ permanent;
 
 location /yunohost/sso/ {
+   # This is an empty location, only meant to avoid other locations
+   # from matching /yunohost/sso, such that it's correctly handled by ssowat
 }