From b0d9c058cc72183d5204f648459f6f77953a5a77 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Sun, 8 Oct 2017 22:19:35 -0600 Subject: [PATCH] Change CASE_SENSITIVE_PATH default to false A default of true is risky when protecting assets by matching base path. It's not obvious that protecting /foo/ will allow /Foo/ through, and if accessing static files on a case-insensitive file system... that's no good. So the default is now to be case-INsensitive when matching paths. --- caddyhttp/httpserver/middleware.go | 8 ++++---- caddyhttp/httpserver/middleware_test.go | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/caddyhttp/httpserver/middleware.go b/caddyhttp/httpserver/middleware.go index c54246659..a754e77ce 100644 --- a/caddyhttp/httpserver/middleware.go +++ b/caddyhttp/httpserver/middleware.go @@ -158,7 +158,7 @@ func SetLastModifiedHeader(w http.ResponseWriter, modTime time.Time) { // CaseSensitivePath determines if paths should be case sensitive. // This is configurable via CASE_SENSITIVE_PATH environment variable. -var CaseSensitivePath = true +var CaseSensitivePath = false const caseSensitivePathEnv = "CASE_SENSITIVE_PATH" @@ -167,10 +167,10 @@ const caseSensitivePathEnv = "CASE_SENSITIVE_PATH" // This could have been in init, but init cannot be called from tests. func initCaseSettings() { switch os.Getenv(caseSensitivePathEnv) { - case "0", "false": - CaseSensitivePath = false - default: + case "1", "true": CaseSensitivePath = true + default: + CaseSensitivePath = false } } diff --git a/caddyhttp/httpserver/middleware_test.go b/caddyhttp/httpserver/middleware_test.go index b8b73e144..19638ca48 100644 --- a/caddyhttp/httpserver/middleware_test.go +++ b/caddyhttp/httpserver/middleware_test.go @@ -59,7 +59,7 @@ func TestPathCaseSensitiveEnv(t *testing.T) { {"0", false}, {"false", false}, {"true", true}, - {"", true}, + {"", false}, } for i, test := range tests {