Drupal updates no longer work after PR #475
cnovak opened this issue · 1 comments
Overview
The PR #475 adds a check in the Nginx recipe to make sure the PHP file exists. This works fine for the index.php
URLs, but when running updates it returns a 404.
On the second page of the update, the URL http://host/update.php/selection
is used, and the try_files $uri =404;
line returns a 404 since a file named update.php/selection
does not exist.
Full Steps
- User navigates to
http://example.com/update.php
, server returns Drupal update page, which contains a "Continue" button on bottom of page with URLhttp://example.com/update.php/selection
- Server returns 404 due because of
try_files $uri =404;
line. The file$ROOT/update.php/selection
does not exist.
Solution
Is there a way to change try_files
to ignore /selection
since it is after *.php
? If someone gives me an idea on how to fix this I can submit a PR.
That is a very good question @cnovak. I do not have any experience with Drupal myself; is the selection endpoint the only endpoint that is used that doesn't have an existing corresponding file? If that's the case you could add some logic before try_files
to account for that edge case.
Otherwise, try_files $uri =404;
was added to mitigate CVE-2019-11043
. If you're using the latest release of PHP the CVE should have been already addressed, and it should be OK to remove that line from your code (at least while figuring out a better solution -- a little extra security never hurt nobody 😝).