[SOGo, Nginx] Deny access to some extensions from SOGo web ui to mitigate security concerns

data/conf/nginx/includes/site-defaults.conf

@@ -176,6 +176,10 @@
   }
 
   location ^~ /SOGo {
+    location ~* ^/SOGo/so/.*\.(xml|js|html|xhtml)$ {
+      return 403;
+      break;
+    }
     include /etc/nginx/conf.d/sogo_proxy_auth.active;
     include /etc/nginx/conf.d/sogo.active;
     proxy_set_header X-Real-IP $remote_addr;