diff options
| author | aszlig <aszlig@nix.build> | 2019-04-06 12:51:56 +0200 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2019-04-06 12:51:56 +0200 |
| commit | 6fe989eaed7d283bbde7a58e42ce36c676870aee (patch) | |
| tree | 2b9abf5cfb73bd2ef07fc0fcbbba4f13e6a218a1 /pkgs/development/python-modules/python-mapnik | |
| parent | f3099279f0c294f8e18f295abe735df31a6a906c (diff) | |
nixos/tests/acme: Use exact match in TOS location
Since the switch to check the nginx config with gixy in
59fac1a6d7e1983a1e7bd518129ff9ef39a013dd, the ACME test doesn't build
anymore, because gixy reports the following false-positive (reindented):
>> Problem: [alias_traversal] Path traversal via misconfigured alias.
Severity: MEDIUM
Description: Using alias in a prefixed location that doesn't ends with
directory separator could lead to path traversal
vulnerability.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
Pseudo config:
server {
server_name letsencrypt.org;
location /documents/2017.11.15-LE-SA-v1.2.pdf {
alias /nix/store/y4h5ryvnvxkajkmqxyxsk7qpv7bl3vq7-2017.11.15-LE-SA-v1.2.pdf;
}
}
The reason this is a false-positive is because the destination is not a
directory, so something like "/foo.pdf../other.txt" won't work here,
because the resulting path would be ".../destfile.pdf../other.txt".
Nevertheless it's a good idea to use the exact match operator (=), to
not only shut up gixy but also gain a bit of performance in lookup (not
that it would matter in our test).
Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'pkgs/development/python-modules/python-mapnik')
0 files changed, 0 insertions, 0 deletions