Skip to content

Fix incorrect regex for files in errors/ and return 404 for index.php #5149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
colinmollenhour wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix incorrect regex for files in errors/ and return 404 for index.php #5149

colinmollenhour wants to merge 1 commit into from

Conversation

@colinmollenhour
Copy link
Member

@colinmollenhour colinmollenhour commented Dec 13, 2025

This fixes two problems with the nginx config in dev/openmage:

  • The negative lookahead regex for files in errors/ was not working, allowing .php or .xml files stored there to be downloaded
  • The index.php file was not explicitly located as 404

These files were added in #1210 to support Apache and are not needed for nginx but any files added to pub/ should be excluded via the config (this kinda defeats the purpose of having a separate directory for pub files but it is what it is).

Manual testing scenarios (*)

These urls should return a 404:

http://localhost/errors/report.php
http://localhost/index.php

Copilot AI review requested due to automatic review settings December 13, 2025 16:02
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 13, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Copilot AI reviewed Dec 13, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes security vulnerabilities in the OpenMage nginx configuration by correcting a malformed regex pattern that failed to properly restrict file access in the errors/ directory and by blocking direct HTTP access to index.php on the frontend server. The changes ensure that only whitelisted static assets (CSS, images) can be served from the errors directory, while blocking potentially sensitive PHP and XML files. Additionally, the PR reorganizes the nginx directives by moving api.php to the "Apache-only files" section for better logical grouping.

  • Fixed malformed negative lookahead regex in errors/ directory to properly block non-whitelisted file extensions
  • Added explicit 404 response for direct access to /index.php on frontend (while admin still uses it internally)
  • Reorganized api.php directive to the Apache-only files section with exact match modifier for consistency

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
dev/openmage/nginx-frontend.conf Corrected errors/ regex pattern, added index.php blocking, and reorganized api.php directive location
dev/openmage/nginx-admin.conf Applied the same regex pattern fix for errors/ directory to maintain consistency with frontend configuration

sreichel
sreichel approved these changes Dec 14, 2025
View reviewed changes
Copy link
Contributor

@sreichel sreichel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know you dont use it ... but do you still have time to test nginx config with DDEV?

@colinmollenhour
Copy link
Member Author

colinmollenhour commented Dec 16, 2025

I know you dont use it ... but do you still have time to test nginx config with DDEV?

I doubt the two configs have many similarities.. But if you want to test it just check like so:

curl -s -D - http://whatever-your-url-is/errors/report.php
curl -s -D - http://whatever-your-url-is/api.php

I think ideally they should return 404 errors. In this case they were just downloading the php source.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sreichel sreichel sreichel approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@colinmollenhour @sreichel