Commit 1be55c3b authored by BOA Dev Team's avatar BOA Dev Team

Nginx: Add Mitigation for https://www.drupal.org/SA-CORE-2018-002

parent d7692572
......@@ -70,10 +70,32 @@ if ($main_site_name = '') {
set $main_site_name "$server_name";
}
###
### Mitigation for https://www.drupal.org/SA-CORE-2018-002
###
set $rce "ZZ";
if ( $query_string ~* (23value|23default_value|element_parents=%23) ) {
set $rce "A";
}
if ( $request_method = POST ) {
set $rce "${rce}B";
}
if ( $rce = "AB" ) {
return 403;
}
<?php if ($nginx_config_mode == 'extended'): ?>
set $nocache_details "Cache";
<?php if ($satellite_mode == 'boa'): ?>
###
### Return 404 on special PHP URLs to avoid revealing version used,
### even indirectly. See also: https://drupal.org/node/2116387
###
if ( $args ~* "=PHP[A-Z0-9]{8}-" ) {
return 404;
}
###
### Deny crawlers.
###
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment