mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-16 21:56:40 -05:00
caddyhttp: Enhance comment
This commit is contained in:
parent
7d1f7771c9
commit
8bdee04651
1 changed files with 6 additions and 3 deletions
|
@ -632,12 +632,15 @@ func (m MatchQuery) Match(r *http.Request) bool {
|
||||||
// parse query string just once, for efficiency
|
// parse query string just once, for efficiency
|
||||||
parsed, err := url.ParseQuery(r.URL.RawQuery)
|
parsed, err := url.ParseQuery(r.URL.RawQuery)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// Illegal query string. Likely bad escape sequence or syntax.
|
// Illegal query string. Likely bad escape sequence or unescaped literals.
|
||||||
// Note that semicolons in query string have a controversial history. Summaries:
|
// Note that semicolons in query string have a controversial history. Summaries:
|
||||||
// - https://github.com/golang/go/issues/50034
|
// - https://github.com/golang/go/issues/50034
|
||||||
// - https://github.com/golang/go/issues/25192
|
// - https://github.com/golang/go/issues/25192
|
||||||
// W3C recommendations are flawed and ambiguous, and different servers handle semicolons differently.
|
// Despite the URL WHATWG spec mandating the use of & separators for query strings,
|
||||||
// Filippo Valsorda rightly wrote: "Relying on parser alignment for security is doomed."
|
// every URL parser implementation is different, and Filippo Valsorda rightly wrote:
|
||||||
|
// "Relying on parser alignment for security is doomed." Overall conclusion is that
|
||||||
|
// splitting on & and rejecting ; in key=value pairs is safer than accepting raw ;.
|
||||||
|
// We regard the Go team's decision as sound and thus reject malformed query strings.
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue