From 1e6eed42bdd64477f9c247f50a0e0c46c96a8bc3 Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Tue, 14 Jun 2022 11:37:37 -0600
Subject: [PATCH] Also reject null byte

---
 modules/caddyhttp/server.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go
index 8a784318a..60717301d 100644
--- a/modules/caddyhttp/server.go
+++ b/modules/caddyhttp/server.go
@@ -348,7 +348,7 @@ func (strict *StrictOptions) enforce(r *http.Request) error {
 
 	// Reject paths with // or ..
 	if strict == nil || !strict.LenientPaths {
-		if strings.Contains(r.URL.Path, "//") || strings.Contains(r.URL.Path, "..") {
+		if strings.Contains(r.URL.Path, "//") || strings.Contains(r.URL.Path, "..") || strings.Contains(r.URL.Path, "\x00") {
 			return Error(http.StatusBadRequest, fmt.Errorf("invalid request path: %s", r.URL.RawPath))
 		}
 	}