Change CASE_SENSITIVE_PATH default to false

A default of true is risky when protecting assets by matching base path. It's not obvious that protecting /foo/ will allow /Foo/ through, and if accessing static files on a case-insensitive file system... that's no good. So the default is now to be case-INsensitive when matching paths.
2025-10-31 10:37:24 -04:00 · 2017-10-08 22:19:35 -06:00 · 2017-10-08 22:19:35 -06:00 · b0d9c058cc
commit b0d9c058cc
parent cccfe3b4ef
2 changed files with 5 additions and 5 deletions
--- a/caddyhttp/httpserver/middleware.go
+++ b/caddyhttp/httpserver/middleware.go
@ -158,7 +158,7 @@ func SetLastModifiedHeader(w http.ResponseWriter, modTime time.Time) {

 // CaseSensitivePath determines if paths should be case sensitive.
 // This is configurable via CASE_SENSITIVE_PATH environment variable.
-var CaseSensitivePath = true
+var CaseSensitivePath = false

 const caseSensitivePathEnv = "CASE_SENSITIVE_PATH"

@ -167,10 +167,10 @@ const caseSensitivePathEnv = "CASE_SENSITIVE_PATH"
 // This could have been in init, but init cannot be called from tests.
 func initCaseSettings() {
 	switch os.Getenv(caseSensitivePathEnv) {
-	case "0", "false":
-		CaseSensitivePath = false
-	default:
+	case "1", "true":
 		CaseSensitivePath = true
+	default:
+		CaseSensitivePath = false
 	}
 }

--- a/caddyhttp/httpserver/middleware_test.go
+++ b/caddyhttp/httpserver/middleware_test.go
@ -59,7 +59,7 @@ func TestPathCaseSensitiveEnv(t *testing.T) {
 		{"0", false},
 		{"false", false},
 		{"true", true},
-		{"", true},
+		{"", false},
 	}

 	for i, test := range tests {