[Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints

Using Apache access rules to protect access to SOAP/REST endpoints is not fully working.

For example:

    <Location /index.fcgi/sessions>
        Require all denied
    </Location>

Will block access to http://auth.example.com/sessions, thanks to this rewrite rule:

    RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
    RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]

But the URL http://auth.example.com/index.fcgi/sessions is valid and not protected. URL http://auth.example.com/index.fcgi/index.fcgi/sessions is also valid, etc.