Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http/httputil: SingleHostReverseProxy escaped paths are decoded #35908

Open
dkumor opened this issue Nov 29, 2019 · 1 comment
Open

net/http/httputil: SingleHostReverseProxy escaped paths are decoded #35908

dkumor opened this issue Nov 29, 2019 · 1 comment

Comments

@dkumor
Copy link

@dkumor dkumor commented Nov 29, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13.4 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/daniel/.cache/go-build"
GOENV="/home/daniel/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/daniel/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build286555625=/tmp/go-build -gno-record-gcc-switches"

What did you do?

  1. initialize a SingleHostReverseProxy with a non-root path (for example /a)
  2. proxy a request with an escaped element: /b%2fc

What did you expect to see?

The forwarded request should be /a/b%2fc

What did you see instead?

The forwarded request is /a/b/c

Reason

This is because when joining URLs, the SingleHostReverseProxy joins just the url.Path elements (https://github.com/golang/go/blob/master/src/net/http/httputil/reverseproxy.go#L112). However, the URL also includes a RawPath which holds an encoding hint specifically to specify how to encode the path (874a605).

To fix this, RawPath also needs to be joined if it is set for either request.

@dkumor dkumor changed the title net/http/httputil: SingleHostReverseProxy url-encoded paths are decoded net/http/httputil: SingleHostReverseProxy escaped paths are decoded Nov 29, 2019
@dmitshur

This comment has been minimized.

Copy link
Member

@dmitshur dmitshur commented Dec 2, 2019

/cc @bradfitz per owners.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.