Details
-
Improvement
-
Resolution: Unresolved
-
Medium
-
None
-
3.3.37, 4.6.2
-
Impacts Apache and Nginx configuration.
-
eZ Publish, eZ Commerce, eZ Platform Enterprise, eZ Platform, Ibexa Cloud, Ibexa Commerce, Ibexa Content, Ibexa Experience, Ibexa Open Source
Description
The ibexa/post-install package includes the default server configuration for Apache and Nginx where the following regexp is used to prevent accessing index.php directly:
^/([^/]+/)?index\.php([/?#]|$)
This regexp will match the following:
/index.php /wp-content/index.php
But it will not match if there are more than one "sub-part", ie:
/wp-content/themes/twentystd/index.php
The URL will resolve to the root of the site access (depending on how it's configured) with broken URLs for all contents (CSS & JS files, images, etc...)
To resolve the issue we just need to specify the the first capturing group of the regexp should be repeated with * :
^/([^/]+/)*?index\.php([/?#]|$)
I think this issue might be related to EZP-25057, EZP-27285 and maybe other I didn't find. But since they are very old I decided to create a new one with a possible fix.
I will create a merge request on github with the fix and post it here in the comment