From 0665a86eb72a178a42741d477b765169d7423fd8 Mon Sep 17 00:00:00 2001 From: Francis Lavoie Date: Fri, 17 Jul 2020 16:48:50 -0400 Subject: fastcgi: Ensure leading slash, omit SERVER_PORT if empty for compliance (#3570) See https://tools.ietf.org/html/rfc3875#section-4.1.13 for SCRIPT_NAME requiring leading slash See https://tools.ietf.org/html/rfc3875#section-4.1.15 for SERVER_PORT requiring omission if empty --- modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go b/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go index c12e932..8c03172 100644 --- a/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go +++ b/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go @@ -202,6 +202,12 @@ func (t Transport) buildEnv(r *http.Request) (map[string]string, error) { pathPrefix, _ := r.Context().Value(caddy.CtxKey("path_prefix")).(string) scriptName = path.Join(pathPrefix, scriptName) + // Ensure the SCRIPT_NAME has a leading slash for compliance with RFC3875 + // Info: https://tools.ietf.org/html/rfc3875#section-4.1.13 + if scriptName != "" && !strings.HasPrefix(scriptName, "/") { + scriptName = "/" + scriptName + } + // Get the request URL from context. The context stores the original URL in case // it was changed by a middleware such as rewrite. By default, we pass the // original URI in as the value of REQUEST_URI (the user can overwrite this @@ -249,7 +255,6 @@ func (t Transport) buildEnv(r *http.Request) (map[string]string, error) { "REQUEST_METHOD": r.Method, "REQUEST_SCHEME": requestScheme, "SERVER_NAME": reqHost, - "SERVER_PORT": reqPort, "SERVER_PROTOCOL": r.Proto, "SERVER_SOFTWARE": t.serverSoftware, @@ -269,6 +274,13 @@ func (t Transport) buildEnv(r *http.Request) (map[string]string, error) { env["PATH_TRANSLATED"] = filepath.Join(root, pathInfo) // Info: http://www.oreilly.com/openbook/cgi/ch02_04.html } + // compliance with the CGI specification requires that + // SERVER_PORT should only exist if it's a valid numeric value. + // Info: https://www.ietf.org/rfc/rfc3875 Page 18 + if reqPort != "" { + env["SERVER_PORT"] = reqPort + } + // Some web apps rely on knowing HTTPS or not if r.TLS != nil { env["HTTPS"] = "on" -- cgit v1.2.3