You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
If a URL path includes double dots (e.g. /data/../info/) or single dot (e.g. /user/./record/), it seems Http::HeaderMap doesn't normalize it by removing the dots in the path.
Sometime this creates issues when a filter is trying to compare the path. For example, a filter may expect to match on path /info/ and it actually wants to match on both /data/../info/ and /info/ because they have the same semantics and will most likely to be interpreted to the same place in the backend.
Question:
Should we provide such support in HeaderMap or HeaderUtility::matchHeaders? Or should we simply do it inside a specific filter when needed?
I can work on this, Could you assign this to me? Also could you clarify a little about the path traversal attacks? I'm not sure how it is related to the change here. Thanks.
Title: How to normalize URL in Http::HeaderMap?
Description:
If a URL path includes double dots (e.g.
/data/../info/
) or single dot (e.g./user/./record/
), it seemsHttp::HeaderMap
doesn't normalize it by removing the dots in the path.Sometime this creates issues when a filter is trying to compare the path. For example, a filter may expect to match on path
/info/
and it actually wants to match on both/data/../info/
and/info/
because they have the same semantics and will most likely to be interpreted to the same place in the backend.Question:
HeaderMap
orHeaderUtility::matchHeaders
? Or should we simply do it inside a specific filter when needed?Reference:
https://en.wikipedia.org/wiki/URL_normalization
/cc @liminw @JimmyCYJ
The text was updated successfully, but these errors were encountered: