From dae4913fe35ff3f8a97383061ea8d44c1e98279e Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Tue, 17 Dec 2019 10:14:04 -0700
Subject: http: Patch path matcher to ignore dots and spaces (#2917)

(Try saying "patch path match" ten times fast)
---
 modules/caddyhttp/matchers.go | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'modules/caddyhttp/matchers.go')

diff --git a/modules/caddyhttp/matchers.go b/modules/caddyhttp/matchers.go
index eaa27f0..6d1728d 100644
--- a/modules/caddyhttp/matchers.go
+++ b/modules/caddyhttp/matchers.go
@@ -165,6 +165,14 @@ func (m MatchPath) Provision(_ caddy.Context) error {
 // Match returns true if r matches m.
 func (m MatchPath) Match(r *http.Request) bool {
 	lowerPath := strings.ToLower(r.URL.Path)
+
+	// see #2917; Windows ignores trailing dots and spaces
+	// when accessing files (sigh), potentially causing a
+	// security risk (cry) if PHP files end up being served
+	// as static files, exposing the source code, instead of
+	// being matched by *.php to be treated as PHP scripts
+	lowerPath = strings.TrimRight(lowerPath, ". ")
+
 	for _, matchPath := range m {
 		// special case: first character is equals sign,
 		// treat it as an exact match
-- 
cgit v1.2.3