caddy

mirror of https://github.com/caddyserver/caddy.git synced 2024-11-28 11:44:08 +08:00

History

Will Norris f8a2c60297 caddyhttp: properly sanitize requests for root path (#6360 ) SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352		2024-06-02 03:40:59 +00:00
..
caddyauth	caddyauth: Drop support for `scrypt` (#6091 )	2024-02-12 19:33:54 +00:00
encode	fileserver: Improve Vary handling (#5849 )	2024-04-19 13:43:13 -06:00
fileserver	templates: Add `pathEscape` template function and use it in file browser (#6278 )	2024-05-18 12:55:36 -06:00
headers	Fix typos (#6311 )	2024-05-10 08:08:54 -06:00
intercept	caddyhttp: New experimental handler for intercepting responses (#6232 )	2024-05-13 17:38:18 +00:00
logging	logging: Implement `log_append` handler (#6066 )	2024-03-05 17:03:59 -07:00
map	caddyfile: Normalize & flatten all unmarshalers (#6037 )	2024-01-23 19:36:59 -05:00
proxyprotocol	caddyfile: Normalize & flatten all unmarshalers (#6037 )	2024-01-23 19:36:59 -05:00
push	caddyhttp: Allow `header` replacement with empty string (#6163 )	2024-03-21 17:29:32 +00:00
requestbody	caddyhttp: Address some Go 1.20 features (#6252 )	2024-04-24 00:05:57 +00:00
reverseproxy	reverseproxy: Support HTTP/3 transport to backend (#6312 )	2024-05-20 13:06:43 -06:00
rewrite	Added a null check to avoid segfault on rewrite query ops (#6191 )	2024-03-23 01:51:34 -04:00
standard	caddyhttp: New experimental handler for intercepting responses (#6232 )	2024-05-13 17:38:18 +00:00
templates	templates: Add `pathEscape` template function and use it in file browser (#6278 )	2024-05-18 12:55:36 -06:00
tracing	tracing: add trace_id var (`http.vars.trace_id` placeholder) (#6308 )	2024-05-08 16:40:40 -06:00
app.go	caddyhttp: Trace individual middleware handlers (#6313 )	2024-05-18 14:48:42 -06:00
autohttps.go	autohttps: Move log WARN to INFO, reduce confusion (#6185 )	2024-05-20 13:14:39 -06:00
caddyhttp_test.go	caddyhttp: properly sanitize requests for root path (#6360 )	2024-06-02 03:40:59 +00:00
caddyhttp.go	caddyhttp: properly sanitize requests for root path (#6360 )	2024-06-02 03:40:59 +00:00
celmatcher_test.go	caddyfile: Populate regexp matcher names by default (#6145 )	2024-04-17 12:19:14 -06:00
celmatcher.go	caddyfile: Populate regexp matcher names by default (#6145 )	2024-04-17 12:19:14 -06:00
errors.go	caddyhttp: Preserve original error (fix #5652 )	2023-07-25 09:41:56 -06:00
http2listener.go	caddyhttp: Serve http2 when listener wrapper doesn't return *tls.Conn (#4929 )	2023-04-10 17:05:02 +00:00
httpredirectlistener.go	httpredirectlistener: Only set read limit for when request is HTTP (#5917 )	2023-11-20 12:31:36 +00:00
invoke.go	caddyhttp: Implement named routes, `invoke` directive (#5107 )	2023-05-16 15:27:52 +00:00
ip_matchers.go	caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers (#6350 )	2024-05-30 07:32:17 -06:00
ip_range.go	caddyhttp: Pluggable trusted proxy IP range sources (#5328 )	2023-02-06 12:44:11 -07:00
logging.go	caddyhttp: Trace individual middleware handlers (#6313 )	2024-05-18 14:48:42 -06:00
marshalers.go	caddyhttp: Replace sensitive headers with REDACTED (close #5669 )	2024-03-29 14:42:20 -06:00
matchers_test.go	matchers: `query` now ANDs multiple keys (#6054 )	2024-01-22 02:36:44 +00:00
matchers.go	caddyfile: Populate regexp matcher names by default (#6145 )	2024-04-17 12:19:14 -06:00
metrics_test.go	metrics: Record request metrics on HTTP errors (#5979 )	2023-12-15 20:14:00 +00:00
metrics.go	metrics: Record request metrics on HTTP errors (#5979 )	2023-12-15 20:14:00 +00:00
replacer_test.go	caddyhttp: add http.request.local{,.host,.port} placeholder (#6182 )	2024-03-27 21:36:53 +00:00
replacer.go	caddyhttp: add http.request.local{,.host,.port} placeholder (#6182 )	2024-03-27 21:36:53 +00:00
responsematchers_test.go	reverseproxy: Add `handle_response` blocks to `reverse_proxy` (#3710 ) (#4021 )	2021-05-02 12:39:06 -06:00
responsematchers.go	caddyfile: Normalize & flatten all unmarshalers (#6037 )	2024-01-23 19:36:59 -05:00
responsewriter_test.go	caddyhttp: Address some Go 1.20 features (#6252 )	2024-04-24 00:05:57 +00:00
responsewriter.go	reverseproxy: handle buffered data during hijack (#6274 )	2024-04-26 09:09:18 -06:00
routes.go	caddyhttp: Trace individual middleware handlers (#6313 )	2024-05-18 14:48:42 -06:00
server_test.go	caddyhttp: Accept XFF header values with ports, when parsing client IP (#6183 )	2024-03-21 10:54:25 -06:00
server.go	caddyhttp: Trace individual middleware handlers (#6313 )	2024-05-18 14:48:42 -06:00
staticerror.go	caddyfile: Normalize & flatten all unmarshalers (#6037 )	2024-01-23 19:36:59 -05:00
staticresp_test.go	Move from deprecated ioutil to os and io packages (#4364 )	2021-09-29 11:17:48 -06:00
staticresp.go	staticresp: Use the evaluated response body for sniffing JSON content-type (#6249 )	2024-04-18 20:31:00 +00:00
subroute.go	reverseproxy: Enable changing only the status code (close #2920 )	2020-06-04 12:06:38 -06:00
vars.go	caddyfile: Populate regexp matcher names by default (#6145 )	2024-04-17 12:19:14 -06:00