a641dfbfc8
PHP scripts Although the implemented direction protection posed a prompt when accessing the http://...com/protectedir/ it was still possible to call http://...com/protectedir/script.php This vulnerability emerges from the precedence order of "location" statements. The RegEx matching the PHP script is triggered before the directory protection is evaluated. As a result, the PHP script is interpreted and path parsing stops due to the circumflex (see http://nginx.org/en/docs/http/ngx_http_core_module.html#location). The fix involves adding a PHP parsing snippet to every protected block. In order to prevent PHP-related config params repeatedly, the required section is referenced using a prefix.