Merge branch v2.11 into v3.6

pkg/server/server_entrypoint_tcp.go

@@ -685,6 +685,8 @@ func newHTTPServer(ctx context.Context, ln net.Listener, configuration *static.E
 
 	handler = denyFragment(handler)
 
+	handler = denyEncodedCharacters(configuration.HTTP.EncodedCharacters.Map(), handler)
+
 	serverHTTP := &http.Server{
 		Protocols:      &protocols,
 		Handler:        handler,
@@ -787,6 +789,37 @@ func encodeQuerySemicolons(h http.Handler) http.Handler {
 	})
 }
 
+// denyEncodedCharacters reject the request if the escaped path contains encoded characters.
+func denyEncodedCharacters(encodedCharacters map[string]struct{}, h http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		escapedPath := req.URL.EscapedPath()
+
+		for i := 0; i < len(escapedPath); i++ {
+			if escapedPath[i] != '%' {
+				continue
+			}
+
+			// This should never happen as the standard library will reject requests containing invalid percent-encodings.
+			// This discards URLs with a percent character at the end.
+			if i+2 >= len(escapedPath) {
+				rw.WriteHeader(http.StatusBadRequest)
+				return
+			}
+
+			// This rejects a request with a path containing the given encoded characters.
+			if _, exists := encodedCharacters[escapedPath[i:i+3]]; exists {
+				log.Debug().Msgf("Rejecting request because it contains encoded character %s in the URL path: %s", escapedPath[i:i+3], escapedPath)
+				rw.WriteHeader(http.StatusBadRequest)
+				return
+			}
+
+			i += 2
+		}
+
+		h.ServeHTTP(rw, req)
+	})
+}
+
 // When go receives an HTTP request, it assumes the absence of fragment URL.
 // However, it is still possible to send a fragment in the request.
 // In this case, Traefik will encode the '#' character, altering the request's intended meaning.