mirror of
https://github.com/caddyserver/caddy.git
synced 2026-06-04 21:15:17 -04:00
Lohit
176b043b01
Tests / test (s390x on IBM Z) (push) Has been skipped
Tests / goreleaser-check (push) Has been skipped
Cross-Build / build (~1.26.0, 1.26, aix) (push) Successful in 1m57s
Cross-Build / build (~1.26.0, 1.26, darwin) (push) Successful in 2m33s
Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Failing after 3m38s
Cross-Build / build (~1.26.0, 1.26, illumos) (push) Successful in 1m56s
Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 4m39s
Cross-Build / build (~1.26.0, 1.26, linux) (push) Successful in 2m29s
Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Successful in 1m54s
Cross-Build / build (~1.26.0, 1.26, solaris) (push) Successful in 2m6s
Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Successful in 7m13s
Cross-Build / build (~1.26.0, 1.26, windows) (push) Successful in 2m15s
Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Successful in 3m54s
Lint / lint (ubuntu-latest, linux) (push) Successful in 2m26s
Lint / dependency-review (push) Failing after 1m22s
OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 12m36s
Lint / govulncheck (push) Failing after 13m9s
Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Has been cancelled
Lint / lint (macos-14, mac) (push) Has been cancelled
Lint / lint (windows-latest, windows) (push) Has been cancelled
When the rewrite URI template ends with a literal '?' and contains a placeholder that expands to client-controlled bytes (e.g. {http.request.header.X-Fwd}), those bytes flow into buildQueryString which runs a second Replacer pass. If the bytes contain placeholder syntax such as {env.SECRET}, that placeholder is evaluated, allowing disclosure of environment variables, files (via {file./path}), or internal request vars through the rewritten request URI.
Escape '{' and '}' in the injected query before assigning it to the query variable, so the second pass cannot find any placeholder syntax to evaluate. Operator-written placeholders in the rewrite template are already expanded by the first pass on the path component, so the only '{' or '}' surviving into the injected query must have come from replacement values.
Fixes GHSA-j8px-rmrx-76h9.
Includes three regression tests mirroring the 'is not re-expanded' tests in modules/caddyhttp/vars_test.go.
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>