net/http: DefaultServeMux incorrectly redirect (301) to path if path includes `%2F%2F`

[kalbasit]

What version of Go are you using (go version)?

go version go1.9 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/kalbasit/code/personal/base"
GORACE=""
GOROOT="/usr/lib/go"
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build643957992=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"

What did you do?

package main

import "net/http"

func main() {
	http.ListenAndServe(":8878", nil)
}

curl 'http://localhost:8878/path:a%2F%2Fgoogle.com%2F'

What did you expect to see?

404 page not found

What did you see instead?

<a href="/path:a/google.com/">Moved Permanently</a>.

NOTE: this does not happen if alice was used instead of the http.DefaultServeMux

[ericlagergren]

FWIW it happens even with

• http://localhost:8878//
• http://localhost:8878/fdsfklasdjfldsajfldksajf/sdfssdf//sdfdsaf

The key aspect being two consecutive /s. It's redirected to a path without two /s.

[crvv]

Redirecting http://localhost:8878// to http://localhost:8878/ is correct.
But redirecting http://localhost:8878/%2F to http://localhost:8878/ is not correct.
I think this is a bug to be fixed.

[ianlancetaylor]

CC @bradfitz @tombergan

[namusyaka]

I fixed similar bug in the past, so I will confirm this.

[gopherbot]

Change https://golang.org/cl/103696 mentions this issue: net/http: avoid incorrect redirection on paths containing encoded slashes

[tombergan]

I'm not sure if this actually a bug in the first place. The URL reported in the original comment is:

http://localhost:8878/path:a%2F%2Fgoogle.com%2F

The decoded path is:

/path:a//google.com/

ServerMux.Handler uses path.Clean. That path clearly has a double slash and path.Clean translates double slashes to single slashes. Also see here. The godoc for ServerMux.Handler says:

// If the path is not in its canonical form, the
// handler will be an internally-generated handler that redirects
// to the canonical path.

If there's an open question here, the question is around the definition of "canonical path". Does the canonical path convert double slashes to single slashes? If so, does it also convert %2F%2F to "/"? If yes to both questions, there's no bug. Otherwise, there's a bug. AFAICT, these questions are not answered in any documentation. In net/http/server_tests.go, serverMuxTests does not have a case for double slashes, so I suspect this question hasn't come up until now.

[namusyaka]

@tombergan Thank you for the clear explanation. I'll investigate this problem again.

[namusyaka]

@tombergan @bradfitz

As a countermeasure against this similar problem, there is nginx merge_slashes syntax.
Even with nginx, the above options are used for cases where you do not want to integrate encoded duplicate slashes into one.

And then, I have take a look at RFC-3986 for confirming the encoded double slashes validity.
According to it, the encoded string pchar is considered valid.

   path          = path-abempty    ; begins with "/" or is empty
                 / path-absolute   ; begins with "/" but not "//"
                 / path-noscheme   ; begins with a non-colon segment
                 / path-rootless   ; begins with a segment
                 / path-empty      ; zero characters

   path-abempty  = *( "/" segment )
   path-absolute = "/" [ segment-nz *( "/" segment ) ]
   path-noscheme = segment-nz-nc *( "/" segment )
   path-rootless = segment-nz *( "/" segment )
   path-empty    = 0<pchar>

   segment       = *pchar
   segment-nz    = 1*pchar
   segment-nz-nc = 1*( unreserved / pct-encoded / sub-delims / "@" )
                 ; non-zero-length segment without any colon ":"

   pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"

   query         = *( pchar / "/" / "?" )

   fragment      = *( pchar / "/" / "?" )

   pct-encoded   = "%" HEXDIG HEXDIG

Therefore, I think, if we follow RFC-3986, the current behavior is buggy.

[namusyaka]

@bradfitz ping? If my survey is reasonable, I'm going to try to improve the patch based on this survey result.
Do you have any opinion?