1
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-16 21:56:40 -05:00

Also reject null byte

This commit is contained in:
Matthew Holt 2022-06-14 11:37:37 -06:00
parent 98cd4333a1
commit 1e6eed42bd
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5

View file

@ -348,7 +348,7 @@ func (strict *StrictOptions) enforce(r *http.Request) error {
// Reject paths with // or ..
if strict == nil || !strict.LenientPaths {
if strings.Contains(r.URL.Path, "//") || strings.Contains(r.URL.Path, "..") {
if strings.Contains(r.URL.Path, "//") || strings.Contains(r.URL.Path, "..") || strings.Contains(r.URL.Path, "\x00") {
return Error(http.StatusBadRequest, fmt.Errorf("invalid request path: %s", r.URL.RawPath))
}
}