caddyhttp: Enhance comment

This commit is contained in:
Matthew Holt 2022-07-16 23:33:43 -06:00
parent 7d1f7771c9
commit 8bdee04651
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5

View file

@ -632,12 +632,15 @@ func (m MatchQuery) Match(r *http.Request) bool {
// parse query string just once, for efficiency // parse query string just once, for efficiency
parsed, err := url.ParseQuery(r.URL.RawQuery) parsed, err := url.ParseQuery(r.URL.RawQuery)
if err != nil { if err != nil {
// Illegal query string. Likely bad escape sequence or syntax. // Illegal query string. Likely bad escape sequence or unescaped literals.
// Note that semicolons in query string have a controversial history. Summaries: // Note that semicolons in query string have a controversial history. Summaries:
// - https://github.com/golang/go/issues/50034 // - https://github.com/golang/go/issues/50034
// - https://github.com/golang/go/issues/25192 // - https://github.com/golang/go/issues/25192
// W3C recommendations are flawed and ambiguous, and different servers handle semicolons differently. // Despite the URL WHATWG spec mandating the use of & separators for query strings,
// Filippo Valsorda rightly wrote: "Relying on parser alignment for security is doomed." // every URL parser implementation is different, and Filippo Valsorda rightly wrote:
// "Relying on parser alignment for security is doomed." Overall conclusion is that
// splitting on & and rejecting ; in key=value pairs is safer than accepting raw ;.
// We regard the Go team's decision as sound and thus reject malformed query strings.
return false return false
} }