Skip to content

Access to internal only /mail_auth route via lazy regex matching #108

Description

@charliemirabile

If you visit /mail_auth.md or any thing else that starts with /mail_auth and ends with .md the nginx regex that scans for paths ending in .md will forward it to orbit, but then the orbit regex that scans for paths starting with /mail_auth will be checked before the "ends in .md" one is checked.

This means that mail_auth which should be an internal only route is actually accessible externally. In theory you could use this route to brute force credentials, but isn't like /login is more hardened against that, so this isn't really a serious issue, just an unintended consequence of having two places where we deal with regexes to filter paths.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    Status
    Done

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions