Deny request with fragment in URL path

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
2023-11-16 16:54:07 +01:00 · 2023-11-16 16:54:07 +01:00 · 12e50e20e6
commit 12e50e20e6
parent cd326654a7
2 changed files with 46 additions and 0 deletions
--- a/pkg/server/server_entrypoint_tcp.go
+++ b/pkg/server/server_entrypoint_tcp.go
@ -535,6 +535,7 @@ func createHTTPServer(ctx context.Context, ln net.Listener, configuration *stati
 		return nil, err
 	}

+	handler = denyFragment(handler)
 	if configuration.HTTP.EncodeQuerySemicolons {
 		handler = encodeQuerySemicolons(handler)
 	} else {
@ -620,3 +621,20 @@ func encodeQuerySemicolons(h http.Handler) http.Handler {
 		}
 	})
 }
+
+// When go receives an HTTP request, it assumes the absence of fragment URL.
+// However, it is still possible to send a fragment in the request.
+// In this case, Traefik will encode the '#' character, altering the request's intended meaning.
+// To avoid this behavior, the following function rejects requests that include a fragment in the URL.
+func denyFragment(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		if strings.Contains(req.URL.RawPath, "#") {
+			log.WithoutContext().Debugf("Rejecting request because it contains a fragment in the URL path: %s", req.URL.RawPath)
+			rw.WriteHeader(http.StatusBadRequest)
+
+			return
+		}
+
+		h.ServeHTTP(rw, req)
+	})
+}