diff --git a/modules/caddyhttp/reverseproxy/fastcgi/caddyfile.go b/modules/caddyhttp/reverseproxy/fastcgi/caddyfile.go index 81fd48e6..5b378f8f 100644 --- a/modules/caddyhttp/reverseproxy/fastcgi/caddyfile.go +++ b/modules/caddyhttp/reverseproxy/fastcgi/caddyfile.go @@ -51,10 +51,10 @@ func (t *Transport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { t.Root = d.Val() case "split": - if !d.NextArg() { + t.SplitPath = d.RemainingArgs() + if len(t.SplitPath) == 0 { return d.ArgErr() } - t.SplitPath = d.Val() case "env": args := d.RemainingArgs() @@ -173,7 +173,7 @@ func parsePHPFastCGI(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error } // set up the transport for FastCGI, and specifically PHP - fcgiTransport := Transport{SplitPath: ".php"} + fcgiTransport := Transport{SplitPath: []string{".php"}} // create the reverse proxy handler which uses our FastCGI transport rpHandler := &reverseproxy.Handler{ diff --git a/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go b/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go index aa0d1cd4..9d2dc39d 100644 --- a/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go +++ b/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go @@ -47,10 +47,11 @@ type Transport struct { // with the value of SplitPath. The first piece will be assumed as the // actual resource (CGI script) name, and the second piece will be set to // PATH_INFO for the CGI script to use. + // // Future enhancements should be careful to avoid CVE-2019-11043, // which can be mitigated with use of a try_files-like behavior - // that 404's if the fastcgi path info is not found. - SplitPath string `json:"split_path,omitempty"` + // that 404s if the fastcgi path info is not found. + SplitPath []string `json:"split_path,omitempty"` // Extra environment variables. EnvVars map[string]string `json:"env,omitempty"` @@ -168,7 +169,7 @@ func (t Transport) buildEnv(r *http.Request) (map[string]string, error) { // Split path in preparation for env variables. // Previous canSplit checks ensure this can never be -1. - // TODO: I haven't brought over canSplit; make sure this doesn't break + // TODO: I haven't brought over canSplit from v1; make sure this doesn't break splitPos := t.splitPos(fpath) // Request has the extension; path was split successfully @@ -284,14 +285,19 @@ func (t Transport) buildEnv(r *http.Request) (map[string]string, error) { // splitPos returns the index where path should // be split based on t.SplitPath. func (t Transport) splitPos(path string) int { - // TODO: + // TODO: from v1... // if httpserver.CaseSensitivePath { // return strings.Index(path, r.SplitPath) // } - return strings.Index(strings.ToLower(path), strings.ToLower(t.SplitPath)) + lowerPath := strings.ToLower(path) + for _, split := range t.SplitPath { + if idx := strings.Index(lowerPath, strings.ToLower(split)); idx > -1 { + return idx + } + } + return -1 } -// TODO: // Map of supported protocols to Apache ssl_mod format // Note that these are slightly different from SupportedProtocols in caddytls/config.go var tlsProtocolStrings = map[uint16]string{