From f92b84bd94f44bd32b4c6b799262a6e5d21f60fb Mon Sep 17 00:00:00 2001
From: ljf <ljf+git@grimaud.me>
Date: Thu, 3 Sep 2020 22:27:46 +0200
Subject: [PATCH 1/3] [fix] SSO unavailable

---
 data/templates/nginx/plain/yunohost_sso.conf.inc | 5 +++++
 data/templates/nginx/server.tpl.conf             | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 data/templates/nginx/plain/yunohost_sso.conf.inc

diff --git a/data/templates/nginx/plain/yunohost_sso.conf.inc b/data/templates/nginx/plain/yunohost_sso.conf.inc
new file mode 100644
index 000000000..cb3c5453d
--- /dev/null
+++ b/data/templates/nginx/plain/yunohost_sso.conf.inc
@@ -0,0 +1,5 @@
+# Avoid the nginx path/alias traversal weakness ( #1037 )
+rewrite ^/yunohost/sso$ /yunohost/sso/ permanent;
+
+location /yunohost/sso/ {
+}
diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf
index 29af9f532..8bd689a92 100644
--- a/data/templates/nginx/server.tpl.conf
+++ b/data/templates/nginx/server.tpl.conf
@@ -14,7 +14,7 @@ server {
 
     include /etc/nginx/conf.d/{{ domain }}.d/*.conf;
 
-    location /yunohost/admin {
+    location /yunohost {
         return 301 https://$http_host$request_uri;
     }
 
@@ -60,6 +60,7 @@ server {
 
     include /etc/nginx/conf.d/{{ domain }}.d/*.conf;
 
+    include /etc/nginx/conf.d/yunohost_sso.conf.inc;
     include /etc/nginx/conf.d/yunohost_admin.conf.inc;
     include /etc/nginx/conf.d/yunohost_api.conf.inc;
 

From cc4db7a6f621aaf918c7729c20899f8ca91c4663 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Thu, 3 Sep 2020 23:47:24 +0200
Subject: [PATCH 2/3] Add a comment explaining why the location is empty

---
 data/templates/nginx/plain/yunohost_sso.conf.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/data/templates/nginx/plain/yunohost_sso.conf.inc b/data/templates/nginx/plain/yunohost_sso.conf.inc
index cb3c5453d..308e5a9a4 100644
--- a/data/templates/nginx/plain/yunohost_sso.conf.inc
+++ b/data/templates/nginx/plain/yunohost_sso.conf.inc
@@ -2,4 +2,6 @@
 rewrite ^/yunohost/sso$ /yunohost/sso/ permanent;
 
 location /yunohost/sso/ {
+   # This is an empty location, only meant to avoid other locations
+   # from matching /yunohost/sso, such that it's correctly handled by ssowat
 }

From d49f1ce73358f2b68f28f8ef0f46a994fca638d3 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Fri, 4 Sep 2020 14:35:16 +0200
Subject: [PATCH 3/3] Update changelog for 4.0.7

---
 debian/changelog | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 92af480ac..34d0da4dd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+yunohost (4.0.7) stable; urgency=low
+
+  - [fix] Require explicitly php7.3-foo packages because in some cases Sury's php7.4- packages are installed and php7.3-fpm doesn't get installed ... (1288159a)
+  - [fix] Make sure app nginx confs do not prevent the loading of /yunohost/sso (#1044)
+
+  Thanks to all contributors <3 ! (Kayou, ljf)
+
+ -- Alexandre Aubin <alex.aubin@mailoo.org>  Fri, 04 Sep 2020 14:32:07 +0200
+
 yunohost (4.0.6.1) stable; urgency=low
 
   - [fix] Stupid syntax issue in dovecot conf