diff options
author | Francis Lavoie <lavofr@gmail.com> | 2022-03-07 12:06:33 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-07 10:06:33 -0700 |
commit | c8f2834b514f8bfb405c11be53d60a6cfc5228ca (patch) | |
tree | daeabf733dadf0be8dfcb4d9858c6d0db7388aa6 /modules/caddyhttp/reverseproxy | |
parent | ab0455922ae01bde1a7a5b3bf58eb993efc02db7 (diff) |
fastcgi: Protect against requests with null bytes in the path (#4614)
Diffstat (limited to 'modules/caddyhttp/reverseproxy')
-rw-r--r-- | modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go b/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go index 18d7e75..2848133 100644 --- a/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go +++ b/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go @@ -110,6 +110,13 @@ func (t *Transport) Provision(ctx caddy.Context) error { // RoundTrip implements http.RoundTripper. func (t Transport) RoundTrip(r *http.Request) (*http.Response, error) { + // Disallow null bytes in the request path, because + // PHP upstreams may do bad things, like execute a + // non-PHP file as PHP code. See #4574 + if strings.Contains(r.URL.Path, "\x00") { + return nil, caddyhttp.Error(http.StatusBadRequest, fmt.Errorf("invalid request path")) + } + env, err := t.buildEnv(r) if err != nil { return nil, fmt.Errorf("building environment: %v", err) |