Closed
Description
Issue Description
In some circumstances, an URL which should be an 404 matches a router. See code below.
It's really a critical bug as if someone write a DELETE handler and a vulnerable request could delete data through the router!
Checklist
- Dependencies installed
- No typos
- Searched existing issues and docs
Expected behaviour
http://localhost:1323/aaa => Hello from router 1!
http://localhost:1323/aaa/foo => Hello from router 2!
http://localhost:1323/aaa/bar => Hello from router 3!
http://localhost:1323/aaa/bbbbbb => Not Found
Actual behaviour
http://localhost:1323/aaa => Hello from router 1!
http://localhost:1323/aaa/foo => Hello from router 2!
http://localhost:1323/aaa/bar => Hello from router 3!
http://localhost:1323/aaa/bbbbbb => Hello from router 1! <--- wrong router!
Steps to reproduce
Define 4 routers as below, check the PoC code.
- /:param1
- /:param1/foo
- /:param1/bar
- /:param1/bar/:param2
Working code to debug
package main
import (
"fmt"
"net/http"
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
)
func main() {
// Echo instance
e := echo.New()
// Middleware
e.Use(middleware.Logger())
e.Use(middleware.Recover())
// Routes
e.GET("/:param1", helloHandler(1))
e.GET("/:param1/foo", helloHandler(2))
e.GET("/:param1/bar", helloHandler(3))
e.GET("/:param1/bar/:param2", helloHandler(4))
// Start server
e.Logger.Fatal(e.Start(":1323"))
}
// Handler
func helloHandler(id int) echo.HandlerFunc {
return func(c echo.Context) error {
return c.String(http.StatusOK, fmt.Sprintf("Hello from router %d!", id))
}
}Version/commit
4.1.6
Metadata
Metadata
Assignees
Labels
No labels