summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/caddyhttp/matchers.go10
1 files changed, 5 insertions, 5 deletions
diff --git a/modules/caddyhttp/matchers.go b/modules/caddyhttp/matchers.go
index 439c407..272c924 100644
--- a/modules/caddyhttp/matchers.go
+++ b/modules/caddyhttp/matchers.go
@@ -325,6 +325,11 @@ func (m MatchPath) Match(r *http.Request) bool {
lowerPath := strings.ToLower(unescapedPath)
+ // Clean the path, merges doubled slashes, etc.
+ // This ensures maliciously crafted requests can't bypass
+ // the path matcher. See #4407
+ lowerPath = path.Clean(lowerPath)
+
// see #2917; Windows ignores trailing dots and spaces
// when accessing files (sigh), potentially causing a
// security risk (cry) if PHP files end up being served
@@ -332,11 +337,6 @@ func (m MatchPath) Match(r *http.Request) bool {
// being matched by *.php to be treated as PHP scripts
lowerPath = strings.TrimRight(lowerPath, ". ")
- // Clean the path, merges doubled slashes, etc.
- // This ensures maliciously crafted requests can't bypass
- // the path matcher. See #4407
- lowerPath = path.Clean(lowerPath)
-
// Cleaning may remove the trailing slash, but we want to keep it
if lowerPath != "/" && strings.HasSuffix(r.URL.Path, "/") {
lowerPath = lowerPath + "/"