fastcgi: Prepend missing leading slash when matching paths (see #1645)

httpserver: More path matching tests

fastcgi: Prepend missing leading slash when matching paths (see #1645)
httpserver: More path matching tests
59a5afab · Matthew Holt · d8fb2ddc · 59a5afab · 59a5afab
Commit 59a5afab authored May 02, 2017 by Matthew Holt
Hide whitespace changes
Inline Side-by-side

Showing with 56 additions and 5 deletions

caddyhttp/fastcgi/fastcgi.go caddyhttp/fastcgi/fastcgi.go +19 -3

caddyhttp/httpserver/path_test.go caddyhttp/httpserver/path_test.go +37 -2

No files found.
--- a/caddyhttp/fastcgi/fastcgi.go
+++ b/caddyhttp/fastcgi/fastcgi.go
@@ -36,9 +36,25 @@ type Handler struct {
 // ServeHTTP satisfies the httpserver.Handler interface.
 func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
 	for _, rule := range h.Rules {
-
-		// First requirement: Base path must match and the path must be allowed.
-		if !httpserver.Path(r.URL.Path).Matches(rule.Path) || !rule.AllowedPath(r.URL.Path) {
+		// First requirement: Base path must match request path. If it doesn't,
+		// we check to make sure the leading slash is not missing, and if so,
+		// we check again with it prepended. This is in case people forget
+		// a leading slash when performing rewrites, and we don't want to expose
+		// the contents of the (likely PHP) script. See issue #1645.
+		hpath := httpserver.Path(r.URL.Path)
+		if !hpath.Matches(rule.Path) {
+			if strings.HasPrefix(string(hpath), "/") {
+				// this is a normal-looking path, and it doesn't match; try next rule
+				continue
+			}
+			hpath = httpserver.Path("/" + string(hpath)) // prepend leading slash
+			if !hpath.Matches(rule.Path) {
+				// even after fixing the request path, it still doesn't match; try next rule
+				continue
+			}
+		}
+		// The path must also be allowed (not ignored).
+		if !rule.AllowedPath(r.URL.Path) {
 			continue
 		}


--- a/caddyhttp/httpserver/path_test.go
+++ b/caddyhttp/httpserver/path_test.go
@@ -5,7 +5,7 @@ import "testing"
 func TestPathMatches(t *testing.T) {
 	for i, testcase := range []struct {
 		reqPath         Path
-		rulePath        string
+		rulePath        string // or "base path" as in Caddyfile docs
 		shouldMatch     bool
 		caseInsensitive bool
 	}{
@@ -48,7 +48,42 @@ func TestPathMatches(t *testing.T) {
 		},
 		{
 			reqPath:     "",
-			rulePath:    "/", // a lone forward slash means to match all requests (see issue #1645)
+			rulePath:    "/", // a lone forward slash means to match all requests (see issue #1645) - many future test cases related to this issue
+			shouldMatch: true,
+		},
+		{
+			reqPath:     "foobar.php",
+			rulePath:    "/",
+			shouldMatch: true,
+		},
+		{
+			reqPath:     "",
+			rulePath:    "",
+			shouldMatch: true,
+		},
+		{
+			reqPath:     "/foo/bar",
+			rulePath:    "",
+			shouldMatch: true,
+		},
+		{
+			reqPath:     "/foo/bar",
+			rulePath:    "",
+			shouldMatch: true,
+		},
+		{
+			reqPath:     "no/leading/slash",
+			rulePath:    "/",
+			shouldMatch: true,
+		},
+		{
+			reqPath:     "no/leading/slash",
+			rulePath:    "/no/leading/slash",
+			shouldMatch: false,
+		},
+		{
+			reqPath:     "no/leading/slash",
+			rulePath:    "",
 			shouldMatch: true,
 		},
 	} {