Drupal updates no longer work after PR #475

[cnovak]

Overview

The PR #475 adds a check in the Nginx recipe to make sure the PHP file exists. This works fine for the index.php URLs, but when running updates it returns a 404.

On the second page of the update, the URL http://host/update.php/selection is used, and the try_files $uri =404; line returns a 404 since a file named update.php/selection does not exist.

Full Steps

1. User navigates to http://example.com/update.php, server returns Drupal update page, which contains a "Continue" button on bottom of page with URL http://example.com/update.php/selection
2. Server returns 404 due because of try_files $uri =404; line. The file $ROOT/update.php/selection does not exist.

Solution

Is there a way to change try_files to ignore /selection since it is after *.php? If someone gives me an idea on how to fix this I can submit a PR.

[alessfg]

That is a very good question @cnovak. I do not have any experience with Drupal myself; is the selection endpoint the only endpoint that is used that doesn't have an existing corresponding file? If that's the case you could add some logic before try_files to account for that edge case.

Otherwise, try_files $uri =404; was added to mitigate CVE-2019-11043. If you're using the latest release of PHP the CVE should have been already addressed, and it should be OK to remove that line from your code (at least while figuring out a better solution -- a little extra security never hurt nobody 😝).