You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for reporting this! I think this is the behavior @ahupowerdns intended, but I agree this might make more sense to do exact path matching only.
It should be possible to prevent this behavior in 1.4.0 using a response map, via DOHFrontend.setResponsesMap() and newDOHResponseMapEntry().
It seems to me that accepting /dns-query/something/somethingelse, although legal, violates the principle of least astonishment. I guess that most webmasters would be surprised.
It can also be a (very small) security issue, if someone blocks "^/dns-query$", they may be surprised that "/dns-query/foobar" works.
I fully agree so unless someone chimes in with a good reason to keep the existing behavior, I'll likely move our behavior to exact path matching only in 1.4.1.
Short description
When used for DoH, dnsdist apparently accepts as a valid URL every path which is below the configured path.
Environment
Steps to reproduce
addDOHLocal("0.0.0.0:443", "/etc/dnsdist/server-doh.pem", "/etc/dnsdist/server-doh.key", "/")
curl https://doh-server/somethingwhichdoesnotexist
Expected behaviour
404
Actual behaviour
200
Example with an actual server:
Other information
Same thing with POST instead of GET.
The text was updated successfully, but these errors were encountered: