-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
path matcher does not behave as expected #5613
Comments
Ah, this is because of #2917: // See #2917; Windows ignores trailing dots and spaces
// when accessing files (sigh), potentially causing a
// security risk (cry) if PHP files end up being served
// as static files, exposing the source code, instead of
// being matched by *.php to be treated as PHP scripts.
reqPath = strings.TrimRight(reqPath, ". ") This is a security feature, so a fix will need to be sensitive to that. |
Hi @mholt, it seems the referenced issue is only for FastCGI (see https://github.com/caddyserver/caddy/pull/2917/files)? Or did the implementation change over time? |
Serving php relies on path matchers. I'll see if there's a better way to do this. |
I wonder if I limit this trimming behavior to only happen on Windows servers, would that be sufficient for you? |
@mholt Yes, I'm not using Windows. However, I still don't really get why code in the FastCGI module affects my requests, as I'm not using FastCGI, PHP, ... |
I might try that then.
The only "fastcgi module" in Caddy is the transport that turns an HTTP Request into a Response. However, for PHP apps, that alone is not very useful, since PHP apps often rely on special rewrites and static file serving. The I may try a patch that only trims the dot and space on Windows; but unfortunately there is no known absolute fix unless Windows changes its exploitable behavior. I'm open to suggestions! |
Correction for the referenced code, it isn't in the FastCGI module but in the MatchPath module; but the reasoning is duplicated: https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/matchers.go#L393-398 |
@mohammed90 Yes, thank you. I was linking to the fastcgi module to demonstrate its limited scope of HTTP Request -> Response functionality. I realize now I hadn't linked to the code I quoted above, which is indeed in the path matcher. Thank you for linking to that and clearing that up :) |
Using caddy 2.6.4 and the following matcher:
However, requests showing
"uri": "/api/v1/servers/localhost/zones/test.com."
in the caddy logs are not matched. When the path matcher doesn't have the "." at the end, it matches:The text was updated successfully, but these errors were encountered: