SEC-220: actually block /login?next=/favicon.ico

Previously we only blocked exact matches to "next=favicon.ico". Now, we'll also block "next=/favicon.ico" and any other variations.

SEC-220: actually block /login?next=/favicon.ico
Previously we only blocked exact matches to "next=favicon.ico". Now, we'll also block "next=/favicon.ico" and any other variations.
44c52591 · Max Rothman · dc92760f · 44c52591
Commit 44c52591 authored Dec 01, 2016 by Max Rothman
Hide whitespace changes
Inline Side-by-side

Showing with 1 additions and 1 deletions

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
+1 -1

No files found.
--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
@@ -166,7 +166,7 @@ error_page {{ k }} {{ v }};
      {% include "basic-auth.j2" %}
    {% endif %}

-    if ( $arg_next = "favicon.ico" ) {
+    if ( $arg_next ~* "favicon.ico" ) {
      return 403;
    }