From eec82e1bf96a2e895ba7f0ad6d3ba19dbd32e576 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Mon, 11 Jul 2022 15:25:42 +0200
Subject: [PATCH] nginx: Fix gixy test `http_splitting`

Fixes test error:
```
>> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" or "\r" may lead to http injection.
```

Summary: `$uri` should never be used in `return` statements.
See: https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md

In this case, `$uri` always equals `/`, so just replace it.
---
 production/nginx/server-common.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/production/nginx/server-common.conf b/production/nginx/server-common.conf
index ef63194c0..901a490cb 100644
--- a/production/nginx/server-common.conf
+++ b/production/nginx/server-common.conf
@@ -49,7 +49,7 @@ add_header Vary Cookie;
 # cache redirect for 10 minutes
 location = / {
 	if ($lang != '') {
-		return 302 $scheme://$host/$lang$uri;
+		return 302 $scheme://$host/$lang/;
 	}
 	try_files /en-US/index.html =404;
 	expires 10m;