From c8f2834b514f8bfb405c11be53d60a6cfc5228ca Mon Sep 17 00:00:00 2001
From: Francis Lavoie <lavofr@gmail.com>
Date: Mon, 7 Mar 2022 12:06:33 -0500
Subject: [PATCH] fastcgi: Protect against requests with null bytes in the path
 (#4614)

---
 modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go b/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
index 18d7e75b1..284813370 100644
--- a/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
+++ b/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
@@ -110,6 +110,13 @@ func (t *Transport) Provision(ctx caddy.Context) error {
 
 // RoundTrip implements http.RoundTripper.
 func (t Transport) RoundTrip(r *http.Request) (*http.Response, error) {
+	// Disallow null bytes in the request path, because
+	// PHP upstreams may do bad things, like execute a
+	// non-PHP file as PHP code. See #4574
+	if strings.Contains(r.URL.Path, "\x00") {
+		return nil, caddyhttp.Error(http.StatusBadRequest, fmt.Errorf("invalid request path"))
+	}
+
 	env, err := t.buildEnv(r)
 	if err != nil {
 		return nil, fmt.Errorf("building environment: %v", err)