I’m using nginx as a reverse proxy for continuwuity, a matrix server. I’ve recently encountered a user with the username @../../../../../../../etc/passwd:example.org, which means the URL to their profile on my server becomes /_matrix/client/v3/profile/%40..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%3Aexample.org . The application server can handle that path and returns the user’s profile, but nginx does not forward the request correctly.
My configuration looks like this:
location ~ ^(/_matrix|/_conduwuit|/_continuwuity) {
proxy_pass http://localhost:8019;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 500M;
proxy_http_version 1.1;
}
From my understanding, the issue is that nginx always attempts to normalize the URL before matching against locations, which in this case breaks the application because the normalized URL doesn’t match /_matrix anymore. I’ve already tried to replace the location block with location / {…} and handle all other possible paths separately, but even then a username with too many ../'s would prevent the request from being forwarded to the application. I couldn’t find any option or setting that would disable path normalization.
Is there any way to get this to work with nginx? Is there something in the URL specification that explicitly says that the URLs /a/b/../../ and / always need to be equivalent, meaning matrix is using URLs incorrectly?
I’m currently using nginx 1.28.2 on arch linux.
