Infrastructure/caddy
1
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-16 21:56:40 -05:00
Code Issues Activity

caddyhttp: Enhance comment

Browse source
This commit is contained in:
Matthew Holt 2022-07-16 23:33:43 -06:00
parent 7d1f7771c9
commit 8bdee04651
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5
1 changed files with 6 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
modules/caddyhttp/matchers.go
View file

@ -632,12 +632,15 @@ func (m MatchQuery) Match(r *http.Request) bool {
// parse query string just once, for efficiency
parsed, err := url.ParseQuery(r.URL.RawQuery)
if err != nil {
// Illegal query string. Likely bad escape sequence or syntax.
// Illegal query string. Likely bad escape sequence or unescaped literals.
// Note that semicolons in query string have a controversial history. Summaries:
// - https://github.com/golang/go/issues/50034
// - https://github.com/golang/go/issues/25192
// W3C recommendations are flawed and ambiguous, and different servers handle semicolons differently.
// Filippo Valsorda rightly wrote: "Relying on parser alignment for security is doomed."
// Despite the URL WHATWG spec mandating the use of & separators for query strings,
// every URL parser implementation is different, and Filippo Valsorda rightly wrote:
// "Relying on parser alignment for security is doomed." Overall conclusion is that
// splitting on & and rejecting ; in key=value pairs is safer than accepting raw ;.
// We regard the Go team's decision as sound and thus reject malformed query strings.
return false
}