Patched CVE-2019-11043

nginx.conf

@@ -56,6 +56,7 @@ http {
         add_header X-Download-Options noopen;
         add_header X-Permitted-Cross-Domain-Policies none;
 	    add_header Referrer-Policy no-referrer always;
+        add_header X-Frame-Options "SAMEORIGIN";
 
         root /var/www/html;
 
@@ -95,7 +96,7 @@ http {
         #pagespeed off;
 
         location / {
-            rewrite ^ /index.php$uri;
+            rewrite ^ /index.php;
         }
 
         location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
@@ -108,6 +109,7 @@ http {
         location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
             fastcgi_split_path_info ^(.+\.php)(/.*)$;
             include fastcgi_params;
+            try_files $fastcgi_script_name =404;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
             fastcgi_param PATH_INFO $fastcgi_path_info;
             # fastcgi_param HTTPS on;