From 1e6eed42bdd64477f9c247f50a0e0c46c96a8bc3 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Tue, 14 Jun 2022 11:37:37 -0600 Subject: [PATCH] Also reject null byte --- modules/caddyhttp/server.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go index 8a784318..60717301 100644 --- a/modules/caddyhttp/server.go +++ b/modules/caddyhttp/server.go @@ -348,7 +348,7 @@ func (strict *StrictOptions) enforce(r *http.Request) error { // Reject paths with // or .. if strict == nil || !strict.LenientPaths { - if strings.Contains(r.URL.Path, "//") || strings.Contains(r.URL.Path, "..") { + if strings.Contains(r.URL.Path, "//") || strings.Contains(r.URL.Path, "..") || strings.Contains(r.URL.Path, "\x00") { return Error(http.StatusBadRequest, fmt.Errorf("invalid request path: %s", r.URL.RawPath)) } }