summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorFrancis Lavoie <lavofr@gmail.com>2021-12-30 04:15:48 -0500
committerGitHub <noreply@github.com>2021-12-30 04:15:48 -0500
commit3fe2c73dd04f7769a9d9673236cb94b79ac45659 (patch)
tree8136fcfe82d5bf3ba4158df0f965d4c866393113 /modules
parent5333c3528bd2badf1676efcced322d151e3706c8 (diff)
caddyhttp: Fix `MatchPath` sanitizing (#4499)
This is a followup to #4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542 Turns out that doing `TrimRight` to remove trailing dots, _before_ cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots _after_ cleaning.
Diffstat (limited to 'modules')
-rw-r--r--modules/caddyhttp/matchers.go10
1 files changed, 5 insertions, 5 deletions
diff --git a/modules/caddyhttp/matchers.go b/modules/caddyhttp/matchers.go
index 439c407..272c924 100644
--- a/modules/caddyhttp/matchers.go
+++ b/modules/caddyhttp/matchers.go
@@ -325,6 +325,11 @@ func (m MatchPath) Match(r *http.Request) bool {
lowerPath := strings.ToLower(unescapedPath)
+ // Clean the path, merges doubled slashes, etc.
+ // This ensures maliciously crafted requests can't bypass
+ // the path matcher. See #4407
+ lowerPath = path.Clean(lowerPath)
+
// see #2917; Windows ignores trailing dots and spaces
// when accessing files (sigh), potentially causing a
// security risk (cry) if PHP files end up being served
@@ -332,11 +337,6 @@ func (m MatchPath) Match(r *http.Request) bool {
// being matched by *.php to be treated as PHP scripts
lowerPath = strings.TrimRight(lowerPath, ". ")
- // Clean the path, merges doubled slashes, etc.
- // This ensures maliciously crafted requests can't bypass
- // the path matcher. See #4407
- lowerPath = path.Clean(lowerPath)
-
// Cleaning may remove the trailing slash, but we want to keep it
if lowerPath != "/" && strings.HasSuffix(r.URL.Path, "/") {
lowerPath = lowerPath + "/"