Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: DefaultServeMux incorrectly redirect (301) to path if path includes %2F%2F #21955

kalbasit opened this issue Sep 21, 2017 · 17 comments
NeedsFix The path to resolution is known, but the work has not been done.


Copy link

kalbasit commented Sep 21, 2017

What version of Go are you using (go version)?

go version go1.9 linux/amd64

Does this issue reproduce with the latest release?


What operating system and processor architecture are you using (go env)?

GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build643957992=/tmp/go-build -gno-record-gcc-switches"

What did you do?

package main

import "net/http"

func main() {
	http.ListenAndServe(":8878", nil)
curl 'http://localhost:8878/'

What did you expect to see?

404 page not found

What did you see instead?

<a href="/path:a/">Moved Permanently</a>.

NOTE: this does not happen if alice was used instead of the http.DefaultServeMux

@kalbasit kalbasit changed the title net/http incorrectly redirect (301) to path if path includes %2F%2F net/http.DefaultServeMux incorrectly redirect (301) to path if path includes %2F%2F Sep 21, 2017
Copy link

ericlagergren commented Sep 21, 2017

FWIW it happens even with

  • http://localhost:8878//
  • http://localhost:8878/fdsfklasdjfldsajfldksajf/sdfssdf//sdfdsaf

The key aspect being two consecutive /s. It's redirected to a path without two /s.

Copy link

crvv commented Sep 22, 2017

Redirecting http://localhost:8878// to http://localhost:8878/ is correct.
But redirecting http://localhost:8878/%2F to http://localhost:8878/ is not correct.
I think this is a bug to be fixed.

@ianlancetaylor ianlancetaylor changed the title net/http.DefaultServeMux incorrectly redirect (301) to path if path includes %2F%2F net/http: DefaultServeMux incorrectly redirect (301) to path if path includes %2F%2F Mar 30, 2018
@ianlancetaylor ianlancetaylor added the NeedsFix The path to resolution is known, but the work has not been done. label Mar 30, 2018
@ianlancetaylor ianlancetaylor added this to the Unplanned milestone Mar 30, 2018
Copy link

CC @bradfitz @tombergan

Copy link

I fixed similar bug in the past, so I will confirm this.

@namusyaka namusyaka self-assigned this Mar 30, 2018
Copy link

Change mentions this issue: net/http: avoid incorrect redirection on paths containing encoded slashes

Copy link

tombergan commented Apr 5, 2018

I'm not sure if this actually a bug in the first place. The URL reported in the original comment is:


The decoded path is:


ServerMux.Handler uses path.Clean. That path clearly has a double slash and path.Clean translates double slashes to single slashes. Also see here. The godoc for ServerMux.Handler says:

// If the path is not in its canonical form, the
// handler will be an internally-generated handler that redirects
// to the canonical path.

If there's an open question here, the question is around the definition of "canonical path". Does the canonical path convert double slashes to single slashes? If so, does it also convert %2F%2F to "/"? If yes to both questions, there's no bug. Otherwise, there's a bug. AFAICT, these questions are not answered in any documentation. In net/http/server_tests.go, serverMuxTests does not have a case for double slashes, so I suspect this question hasn't come up until now.

Copy link

@tombergan Thank you for the clear explanation. I'll investigate this problem again.

Copy link

@tombergan @bradfitz

As a countermeasure against this similar problem, there is nginx merge_slashes syntax.
Even with nginx, the above options are used for cases where you do not want to integrate encoded duplicate slashes into one.

And then, I have take a look at RFC-3986 for confirming the encoded double slashes validity.
According to it, the encoded string pchar is considered valid.

   path          = path-abempty    ; begins with "/" or is empty
                 / path-absolute   ; begins with "/" but not "//"
                 / path-noscheme   ; begins with a non-colon segment
                 / path-rootless   ; begins with a segment
                 / path-empty      ; zero characters

   path-abempty  = *( "/" segment )
   path-absolute = "/" [ segment-nz *( "/" segment ) ]
   path-noscheme = segment-nz-nc *( "/" segment )
   path-rootless = segment-nz *( "/" segment )
   path-empty    = 0<pchar>

   segment       = *pchar
   segment-nz    = 1*pchar
   segment-nz-nc = 1*( unreserved / pct-encoded / sub-delims / "@" )
                 ; non-zero-length segment without any colon ":"

   pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"

   query         = *( pchar / "/" / "?" )

   fragment      = *( pchar / "/" / "?" )

   pct-encoded   = "%" HEXDIG HEXDIG

Therefore, I think, if we follow RFC-3986, the current behavior is buggy.

Copy link

@bradfitz ping? If my survey is reasonable, I'm going to try to improve the patch based on this survey result.
Do you have any opinion?

alexmt pushed a commit to alexmt/argo-cd that referenced this issue Jun 4, 2018
alexmt added a commit to argoproj/argo-cd that referenced this issue Jun 4, 2018
Copy link

@bradfitz @tombergan ping?

dunglas added a commit to dunglas/go that referenced this issue May 20, 2020
The current implementation of ServeMux incorrectly returns a 301 status
code when the path contains URL-encoded data, and especially URL-encoded

Fixes golang#21955
Copy link

Change mentions this issue: net/http: prevent incorrect redirections when the path contains %2F%2F

Copy link

neild commented Oct 19, 2020

To expand on @tombergan's comment (#21955 (comment)), the ServeMux documentation states:

ServeMux also takes care of sanitizing the URL request path and the Host header, stripping the port number and redirecting any request containing . or .. elements or repeated slashes to an equivalent, cleaner URL.

The documentation is not explicit on whether %2f is considered a slash, but the implementation consistently treats it as such. ServeMux.Handle("/foo/", f) matches the request /foo%2fbar.

I believe the current behavior is consistent with the documentation and probably can't be changed without violating compatibility. Perhaps the documentation should explicitly mention the treatment of escaped path components.

Copy link

jfcalvo commented Apr 6, 2021

I'm suffering the same problem trying to use an encoded full URL in the path.

For example I'm trying to use this URL (an image from Wikimedia):

Once encoded we get the following URL:

And this is the request to my server using the previous URL as path:


I'm receiving a 301 status code with a Moved Permanently body message linking to:


I understand that ServeMux is cleaning paths and redirecting in the case of differences but what I don't understand it's why that is done for escaped characters like %2F%2F.

Apart from the possible bug, anybody knows any solution/workaround that doesn't involve creating from scratch a custom serve mux or using another one available? Any possible way to avoid that cleaning?

Copy link

crvv commented Apr 7, 2021

This is clearly a bug.

The encoding method can encode arbitrary data in a Uniform Resource Identifier (URI), which is the point of the encoding.

"/" is the reserved character slash. "%2f" is an arbitrary string.
"/" and "%2f" are two different things.

Is "%2f" is a slash?
No, of course it is not a slash. and "%25" is not a percent sign
Otherwise "" will be equivalent to "".

frizinak added a commit to frizinak/gotls that referenced this issue Oct 29, 2021
Copy link

kayrus commented Jun 15, 2022

Just faced this issue in the latest go 1.18.3

curl http://localhost/%2Fhello is decoded internally to //hello (r.URL.Path) and the decision for a 301 redirect based on r.URL.Path instead of r.URL.RawPath.

A dirty hack that fixed useless 301 redirect issue for me:

--- go/src/net/http/server.go   2022-06-01 18:44:51.000000000 +0200
+++ go_/src/net/http/server.go  2022-06-15 23:44:02.602151436 +0200
@@ -2412,7 +2412,7 @@
        // All other requests have any port stripped and path cleaned
        // before passing to mux.handler.
        host := stripHostPort(r.Host)
-       path := cleanPath(r.URL.Path)
+       path := cleanPath(r.URL.RawPath)
        // If the given path is /tree and its handler is not registered,
        // redirect for /tree/.
@@ -2420,7 +2420,7 @@
                return RedirectHandler(u.String(), StatusMovedPermanently), u.Path
-       if path != r.URL.Path {
+       if path != r.URL.RawPath {
                _, pattern = mux.handler(host, path)
                u := &url.URL{Path: path, RawQuery: r.URL.RawQuery}
                return RedirectHandler(u.String(), StatusMovedPermanently), pattern

Copy link

Change mentions this issue: net/http: ServeMux matches escaped paths

Copy link

Change mentions this issue: net/http: unescape paths and patterns by segment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
NeedsFix The path to resolution is known, but the work has not been done.
None yet

Successfully merging a pull request may close this issue.

10 participants