mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-28 12:55:57 +03:00
caddyhttp: Fix MatchPath
sanitizing (#4499)
This is a followup to #4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542 Turns out that doing `TrimRight` to remove trailing dots, _before_ cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots _after_ cleaning.
This commit is contained in:
parent
5333c3528b
commit
3fe2c73dd0
1 changed files with 5 additions and 5 deletions
|
@ -325,6 +325,11 @@ func (m MatchPath) Match(r *http.Request) bool {
|
||||||
|
|
||||||
lowerPath := strings.ToLower(unescapedPath)
|
lowerPath := strings.ToLower(unescapedPath)
|
||||||
|
|
||||||
|
// Clean the path, merges doubled slashes, etc.
|
||||||
|
// This ensures maliciously crafted requests can't bypass
|
||||||
|
// the path matcher. See #4407
|
||||||
|
lowerPath = path.Clean(lowerPath)
|
||||||
|
|
||||||
// see #2917; Windows ignores trailing dots and spaces
|
// see #2917; Windows ignores trailing dots and spaces
|
||||||
// when accessing files (sigh), potentially causing a
|
// when accessing files (sigh), potentially causing a
|
||||||
// security risk (cry) if PHP files end up being served
|
// security risk (cry) if PHP files end up being served
|
||||||
|
@ -332,11 +337,6 @@ func (m MatchPath) Match(r *http.Request) bool {
|
||||||
// being matched by *.php to be treated as PHP scripts
|
// being matched by *.php to be treated as PHP scripts
|
||||||
lowerPath = strings.TrimRight(lowerPath, ". ")
|
lowerPath = strings.TrimRight(lowerPath, ". ")
|
||||||
|
|
||||||
// Clean the path, merges doubled slashes, etc.
|
|
||||||
// This ensures maliciously crafted requests can't bypass
|
|
||||||
// the path matcher. See #4407
|
|
||||||
lowerPath = path.Clean(lowerPath)
|
|
||||||
|
|
||||||
// Cleaning may remove the trailing slash, but we want to keep it
|
// Cleaning may remove the trailing slash, but we want to keep it
|
||||||
if lowerPath != "/" && strings.HasSuffix(r.URL.Path, "/") {
|
if lowerPath != "/" && strings.HasSuffix(r.URL.Path, "/") {
|
||||||
lowerPath = lowerPath + "/"
|
lowerPath = lowerPath + "/"
|
||||||
|
|
Loading…
Reference in a new issue