-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add escape logic for header #3500
Conversation
Codecov Report
@@ Coverage Diff @@
## master #3500 +/- ##
=======================================
Coverage 98.63% 98.63%
=======================================
Files 42 42
Lines 3148 3151 +3
=======================================
+ Hits 3105 3108 +3
Misses 29 29
Partials 14 14
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
@t0rchwo0d testing fail. Please take a look. |
Hi, @appleboy Hmm, It's stuck down there.
I think it's related to the following. Can you plz start testing again? |
ec759ae
to
ff49e55
Compare
Update the same code for build test |
@appleboy Oh, testing passed! |
@@ -668,6 +669,9 @@ func redirectTrailingSlash(c *Context) { | |||
req := c.Request | |||
p := req.URL.Path | |||
if prefix := path.Clean(c.Request.Header.Get("X-Forwarded-Prefix")); prefix != "." { | |||
prefix = url.QueryEscape(prefix) | |||
prefix = strings.ReplaceAll(prefix, "%2F", "/") | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please add some unit test cases, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, @thinkerou
Thank you for your review!
I update "routes_test.go", Plz check again : )
da8520c
to
d1f3e5f
Compare
d1f3e5f
to
cb5832c
Compare
update "routes_test.go |
This reverts commit 81ac7d5.
Hi, @appleboy, @thinkerou Sorry, There was a lack of additional filter consideration. |
Add escape logic for header
Hi, Team.
I added a
escape logic
to the header reflecting user input values for the following.I'd appreciate it if you could review it.
Description
Basically
X-Forwarded-Prefix
is not required for any purpose other than the/
delimiter. However, unintended execution by crafted request.X-Forwarded-Prefix
has a potential problems. Although actively exploiting this flaw is unlikely, Need to prevents abuse in scenarios such as cache poisoning.How to reproduce
Case 1. Modulate
Expectations
Actual result
Case 2. Redirect
Expectations
Actual result
Case 3. Infinite Loop
Expectations
Actual result
Environment
Reference