[DoH] dnsdist accepts all sub-paths of the configured URL path

[bortzmeyer]

• Program: dnsdist
• Issue type: Bug report

Short description

When used for DoH, dnsdist apparently accepts as a valid URL every path which is below the configured path.

Environment

• Operating system: ArchLinux
• Software version:
• Software source: 1.4.0 compiled my myself

Steps to reproduce

1. addDOHLocal("0.0.0.0:443", "/etc/dnsdist/server-doh.pem", "/etc/dnsdist/server-doh.key", "/")
2. curl https://doh-server/somethingwhichdoesnotexist

Expected behaviour

404

Actual behaviour

200

Example with an actual server:

% curl -v https://doh.bortzmeyer.fr/doesnotexistshouldnotwork\?dns=AAABAAABAAAAAAAACnRydWNtYWNoaW4CZnIAABwAAQ
* Connected to doh.bortzmeyer.fr (2001:41d0:302:2200::180) port 443 (#0)
...
> GET /doesnotexistshouldnotwork?dns=AAABAAABAAAAAAAACnRydWNtYWNoaW4CZnIAABwAAQ HTTP/2
> Host: doh.bortzmeyer.fr
> User-Agent: curl/7.58.0
> Accept: */*
> 
...
< HTTP/2 200 
< server: h2o/dnsdist
< content-type: application/dns-message
< content-length: 88

Other information

Same thing with POST instead of GET.

[rgacogne]

Thanks for reporting this! I think this is the behavior @ahupowerdns intended, but I agree this might make more sense to do exact path matching only.
It should be possible to prevent this behavior in 1.4.0 using a response map, via DOHFrontend.setResponsesMap() and newDOHResponseMapEntry().

[bortzmeyer]

It seems to me that accepting /dns-query/something/somethingelse, although legal, violates the principle of least astonishment. I guess that most webmasters would be surprised.

It can also be a (very small) security issue, if someone blocks "^/dns-query$", they may be surprised that "/dns-query/foobar" works.

[rgacogne]

I fully agree so unless someone chimes in with a good reason to keep the existing behavior, I'll likely move our behavior to exact path matching only in 1.4.1.