summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2022-07-16 23:33:43 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2022-07-16 23:33:49 -0600
commit8bdee04651d93a5a799f6816ceafaa7ac61fe26d (patch)
treebc78b1d7c91e99cc521a0f0bb1b2bbe2430252ef /modules
parent7d1f7771c9961dc6607a6ac5894b9c3195c25fcf (diff)
caddyhttp: Enhance comment
Diffstat (limited to 'modules')
-rw-r--r--modules/caddyhttp/matchers.go9
1 files changed, 6 insertions, 3 deletions
diff --git a/modules/caddyhttp/matchers.go b/modules/caddyhttp/matchers.go
index 430318a..c8db22f 100644
--- a/modules/caddyhttp/matchers.go
+++ b/modules/caddyhttp/matchers.go
@@ -632,12 +632,15 @@ func (m MatchQuery) Match(r *http.Request) bool {
// parse query string just once, for efficiency
parsed, err := url.ParseQuery(r.URL.RawQuery)
if err != nil {
- // Illegal query string. Likely bad escape sequence or syntax.
+ // Illegal query string. Likely bad escape sequence or unescaped literals.
// Note that semicolons in query string have a controversial history. Summaries:
// - https://github.com/golang/go/issues/50034
// - https://github.com/golang/go/issues/25192
- // W3C recommendations are flawed and ambiguous, and different servers handle semicolons differently.
- // Filippo Valsorda rightly wrote: "Relying on parser alignment for security is doomed."
+ // Despite the URL WHATWG spec mandating the use of & separators for query strings,
+ // every URL parser implementation is different, and Filippo Valsorda rightly wrote:
+ // "Relying on parser alignment for security is doomed." Overall conclusion is that
+ // splitting on & and rejecting ; in key=value pairs is safer than accepting raw ;.
+ // We regard the Go team's decision as sound and thus reject malformed query strings.
return false
}