Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

caddyhttp: Fix MatchPath sanitizing #4499

Merged
merged 1 commit into from
Dec 30, 2021
Merged

caddyhttp: Fix MatchPath sanitizing #4499

merged 1 commit into from
Dec 30, 2021

Conversation

francislavoie
Copy link
Member

This is a followup to #4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542

Turns out that doing TrimRight to remove trailing dots, before cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots after cleaning.

@francislavoie
caddyhttp: Fix MatchPath sanitizing
b23bdcf 
This is a followup to #4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542

Turns out that doing `TrimRight` to remove trailing dots, _before_ cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots _after_ cleaning.
@francislavoie francislavoie added bug 🐞 Something isn't working under review 🧐 Review is pending before merging labels Dec 30, 2021
@francislavoie francislavoie added this to the v2.5.0 milestone Dec 30, 2021
mholt
mholt approved these changes Dec 30, 2021
View reviewed changes
Copy link
Member

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, nice. Simple and elegant fix, LGTM. Thank you

@francislavoie francislavoie merged commit 3fe2c73 into master Dec 30, 2021
@francislavoie francislavoie deleted the fix-match-path-clean branch December 30, 2021 09:15
@mohammed90 mohammed90 mentioned this pull request Jan 3, 2022
Closed
@mholt mholt removed the under review 🧐 Review is pending before merging label Jan 6, 2022
nordstern pushed a commit to uptimerobot/caddy that referenced this pull request Jan 24, 2022
@francislavoie
caddyhttp: Fix MatchPath sanitizing (caddyserver#4499)
040d19e 
This is a followup to caddyserver#4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542

Turns out that doing `TrimRight` to remove trailing dots, _before_ cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots _after_ cleaning.
@divine divine mentioned this pull request Apr 18, 2022
Closed
@GoVulnBot GoVulnBot mentioned this pull request Jun 2, 2022
Closed
@jba jba mentioned this pull request Jun 2, 2022
Open
@skitt skitt mentioned this pull request Jul 12, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mholt mholt mholt approved these changes

@mohammed90 mohammed90 Awaiting requested review from mohammed90

Assignees
No one assigned
Labels
bug 🐞 Something isn't working
Projects
None yet
Milestone
v2.5.0
Development

Successfully merging this pull request may close these issues.
2 participants
@francislavoie @mholt