Closed
Description
What version of Go are you using (go version)?
go version go1.9 linux/amd64
Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (go env)?
GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/kalbasit/code/personal/base"
GORACE=""
GOROOT="/usr/lib/go"
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build643957992=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
What did you do?
package main
import "net/http"
func main() {
http.ListenAndServe(":8878", nil)
}
curl 'http://localhost:8878/path:a%2F%2Fgoogle.com%2F'
What did you expect to see?
404 page not found
What did you see instead?
<a href="/path:a/google.com/">Moved Permanently</a>.
NOTE: this does not happen if alice was used instead of the http.DefaultServeMux
Metadata
Metadata
Assignees
Type
Projects
Relationships
Participants
Activity
[-]net/http incorrectly redirect (301) to path if path includes `%2F%2F`[/-][+]net/http.DefaultServeMux incorrectly redirect (301) to path if path includes `%2F%2F`[/+]ericlagergren commentedon Sep 21, 2017
FWIW it happens even with
http://localhost:8878//http://localhost:8878/fdsfklasdjfldsajfldksajf/sdfssdf//sdfdsafThe key aspect being two consecutive
/s. It's redirected to a path without two/s.crvv commentedon Sep 22, 2017
Redirecting
http://localhost:8878//tohttp://localhost:8878/is correct.But redirecting
http://localhost:8878/%2Ftohttp://localhost:8878/is not correct.I think this is a bug to be fixed.
[-]net/http.DefaultServeMux incorrectly redirect (301) to path if path includes `%2F%2F`[/-][+]net/http: DefaultServeMux incorrectly redirect (301) to path if path includes `%2F%2F`[/+]ianlancetaylor commentedon Mar 30, 2018
CC @bradfitz @tombergan
namusyaka commentedon Mar 30, 2018
I fixed similar bug in the past, so I will confirm this.
gopherbot commentedon Mar 30, 2018
Change https://golang.org/cl/103696 mentions this issue:
net/http: avoid incorrect redirection on paths containing encoded slashestombergan commentedon Apr 5, 2018
I'm not sure if this actually a bug in the first place. The URL reported in the original comment is:
The decoded path is:
ServerMux.Handler uses path.Clean. That path clearly has a double slash and path.Clean translates double slashes to single slashes. Also see here. The godoc for ServerMux.Handler says:
If there's an open question here, the question is around the definition of "canonical path". Does the canonical path convert double slashes to single slashes? If so, does it also convert %2F%2F to "/"? If yes to both questions, there's no bug. Otherwise, there's a bug. AFAICT, these questions are not answered in any documentation. In net/http/server_tests.go, serverMuxTests does not have a case for double slashes, so I suspect this question hasn't come up until now.
namusyaka commentedon Apr 23, 2018
@tombergan Thank you for the clear explanation. I'll investigate this problem again.
namusyaka commentedon Apr 28, 2018
@tombergan @bradfitz
As a countermeasure against this similar problem, there is nginx
merge_slashessyntax.Even with nginx, the above options are used for cases where you do not want to integrate encoded duplicate slashes into one.
And then, I have take a look at RFC-3986 for confirming the encoded double slashes validity.
According to it, the encoded string pchar is considered valid.
Therefore, I think, if we follow RFC-3986, the current behavior is buggy.
namusyaka commentedon May 4, 2018
@bradfitz ping? If my survey is reasonable, I'm going to try to improve the patch based on this survey result.
Do you have any opinion?
19 remaining items