diff options
| author | Andrew Gerrand <adg@golang.org> | 2020-05-13 10:39:11 +1000 |
|---|---|---|
| committer | Andrew Gerrand <adg@golang.org> | 2020-08-25 06:01:11 +0000 |
| commit | bb54a855a9b5733569f40ac19a2c338b87c23d14 (patch) | |
| tree | d49eb41dc40d01f1e4e71c04d7e78fce54ba8111 /src/encoding | |
| parent | b3d9cf7a07518020c6ec5032474aafef9345cdd5 (diff) | |
| download | go-bb54a855a9b5733569f40ac19a2c338b87c23d14.tar.xz | |
net/http: handle Request.URL.RawPath in StripPrefix
The StripPrefix wrapper strips a prefix string from the request's
URL.Path field, but doesn't touch the RawPath field. This leads to the
confusing situation when StripPrefix handles a request with URL.RawPath
populated (due to some escaped characters in the request path) and the
wrapped request's RawPath contains the prefix but Path does not.
This change modifies StripPrefix to strip the prefix from both Path and
RawPath. If there are escaped characters in the prefix part of the
request URL the stripped handler serves a 404 instead of invoking the
underlying handler with a mismatched Path/RawPath pair.
This is a backward incompatible change for a very small minority of
requests; I would be surprised if anyone is depending on this behavior,
but it is possible. If that's the case, we could make a more
conservative change where the RawPath is trimmed if possible, but when
the prefix contains escaped characters then we don't 404 but rather send
through the invalid Path/RawPath pair as before.
Fixes #24366
Change-Id: I7030b8c183a3dfce307bc0272bba9a18df4cfe08
Reviewed-on: https://go-review.googlesource.com/c/go/+/233637
Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Diffstat (limited to 'src/encoding')
0 files changed, 0 insertions, 0 deletions