docs: block access to metadata files in nginx sample configs#15102
Conversation
The nginx sample configs served top-level metadata files (composer.json, composer.lock, package.json, package-lock.json, core/shipped.json) as plain files, since they matched neither a 404 block nor the static-asset extension list and fell through to `try_files $uri`. This leaked dependency information. Add a 404 location block matching these files to both the root and subdir sample configs, alongside the existing rules that hide non-public paths. Fixes #15101 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Simon L. <szaimen@e.mail.de>
📖 Documentation PreviewNo RST documentation pages changed in this PR. Last updated: Tue, 09 Jun 2026 17:22:56 GMT |
I'd really like to change the directory structure so that only the bare minimum (i.e entrypoints) are in a But that's a far bigger change and likely unrealistic for the time being I suppose. |
Yes I fear so |
|
Backports ? |
|
/backport to stable34 |
|
/backport to stable33 |
|
The backport to # Switch to the target branch and update it
git checkout stable33
git pull origin stable33
# Create the new backport branch
git checkout -b backport/15102/stable33
# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts, resolve them
git cherry-pick f89d70c3
# Push the cherry pick commit to the remote repository and open a pull request
git push origin backport/15102/stable33Error: Failed to check for changes with origin/stable33: No changes found in backport branch Learn more about backports at https://docs.nextcloud.com/server/stable/go.php?to=developer-backports. |
3 participants
☑️ Resolves
The nginx sample configs (
nginx-root.conf.sampleandnginx-subdir.conf.sample) served the following top-level metadata files as plain files:https://nc-domain/composer.jsonhttps://nc-domain/composer.lockhttps://nc-domain/package.jsonhttps://nc-domain/package-lock.jsonhttps://nc-domain/core/shipped.jsonThese paths matched neither an existing
return 404block nor the static-asset extension list, so they fell through tolocation /→try_files $uriand were served verbatim, leaking dependency information.This adds a 404
locationblock matching these files to both samples, placed alongside the existing rules that hide non-public paths:The block is positioned before the
\.phpand static-asset regex blocks so nginx (which evaluates regexlocationblocks in file order) matches it first.Note
The upstream
server/.htaccessdoes not block these files either — it only covers thebuild|tests|config|lib|3rdparty|templatesdirectories and dotfiles. Apache installs likely have the same exposure. It may be worth opening anextcloud/serverissue to add the equivalent rule there so the two configs don't drift.🖼️ Screenshots
No visual change — these are
literalinclude-d config samples, not rendered page content.✅ Checklist
codespellor similar and addressed any spelling issues🤖 Generated with Claude Code