Merge branch v2.11 into v3.6

2026-01-14 11:28:12 +01:00 · 2026-01-14 11:28:12 +01:00 · 8479d66d18
commit 8479d66d18
parent 794916a183 9e5d4ba5a1
23 changed files with 266 additions and 224 deletions
--- a/pkg/config/dynamic/http_config.go
+++ b/pkg/config/dynamic/http_config.go
@ -72,12 +72,12 @@ type Router struct {
 	Rule        string   `json:"rule,omitempty" toml:"rule,omitempty" yaml:"rule,omitempty"`
 	ParentRefs  []string `json:"parentRefs,omitempty" toml:"parentRefs,omitempty" yaml:"parentRefs,omitempty" label:"-" export:"true"`
 	// Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
-	RuleSyntax                  string                            `json:"ruleSyntax,omitempty" toml:"ruleSyntax,omitempty" yaml:"ruleSyntax,omitempty" export:"true"`
-	Priority                    int                               `json:"priority,omitempty" toml:"priority,omitempty,omitzero" yaml:"priority,omitempty" export:"true"`
-	TLS                         *RouterTLSConfig                  `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
-	Observability               *RouterObservabilityConfig        `json:"observability,omitempty" toml:"observability,omitempty" yaml:"observability,omitempty" export:"true"`
-	DefaultRule                 bool                              `json:"-" toml:"-" yaml:"-" label:"-" file:"-"`
-	DeniedEncodedPathCharacters RouterDeniedEncodedPathCharacters `json:"-" toml:"-" yaml:"-" label:"-" file:"-"`
+	RuleSyntax                  string                             `json:"ruleSyntax,omitempty" toml:"ruleSyntax,omitempty" yaml:"ruleSyntax,omitempty" export:"true"`
+	Priority                    int                                `json:"priority,omitempty" toml:"priority,omitempty,omitzero" yaml:"priority,omitempty" export:"true"`
+	TLS                         *RouterTLSConfig                   `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
+	Observability               *RouterObservabilityConfig         `json:"observability,omitempty" toml:"observability,omitempty" yaml:"observability,omitempty" export:"true"`
+	DefaultRule                 bool                               `json:"-" toml:"-" yaml:"-" label:"-" file:"-"`
+	DeniedEncodedPathCharacters *RouterDeniedEncodedPathCharacters `json:"-" toml:"-" yaml:"-" label:"-" file:"-" kv:"-"`
 }

 // +k8s:deepcopy-gen=true
--- a/pkg/config/dynamic/zz_generated.deepcopy.go
+++ b/pkg/config/dynamic/zz_generated.deepcopy.go
@ -1389,7 +1389,11 @@ func (in *Router) DeepCopyInto(out *Router) {
 		*out = new(RouterObservabilityConfig)
 		(*in).DeepCopyInto(*out)
 	}
-	out.DeniedEncodedPathCharacters = in.DeniedEncodedPathCharacters
+	if in.DeniedEncodedPathCharacters != nil {
+		in, out := &in.DeniedEncodedPathCharacters, &out.DeniedEncodedPathCharacters
+		*out = new(RouterDeniedEncodedPathCharacters)
+		**out = **in
+	}
 	return
 }

--- a/pkg/config/static/entrypoints.go
+++ b/pkg/config/static/entrypoints.go
@ -92,6 +92,16 @@ type EncodedCharacters struct {
 	AllowEncodedHash          bool `description:"Defines whether requests with encoded hash characters in the path are allowed." json:"allowEncodedHash,omitempty" toml:"allowEncodedHash,omitempty" yaml:"allowEncodedHash,omitempty" export:"true"`
 }

+func (ec *EncodedCharacters) SetDefaults() {
+	ec.AllowEncodedSlash = true
+	ec.AllowEncodedBackSlash = true
+	ec.AllowEncodedNullCharacter = true
+	ec.AllowEncodedSemicolon = true
+	ec.AllowEncodedPercent = true
+	ec.AllowEncodedQuestionMark = true
+	ec.AllowEncodedHash = true
+}
+
 // HTTP2Config is the HTTP2 configuration of an entry point.
 type HTTP2Config struct {
 	MaxConcurrentStreams      int32 `description:"Specifies the number of concurrent streams per connection that each client is allowed to initiate." json:"maxConcurrentStreams,omitempty" toml:"maxConcurrentStreams,omitempty" yaml:"maxConcurrentStreams,omitempty" export:"true"`
--- a/pkg/server/aggregator.go
+++ b/pkg/server/aggregator.go
@ -215,7 +215,7 @@ func applyModel(cfg dynamic.Configuration) dynamic.Configuration {
 					if m.DeniedEncodedPathCharacters != nil {
 						// As the denied encoded path characters option is not configurable at the router level,
 						// we can simply copy the whole structure to override the router's default config.
-						cp.DeniedEncodedPathCharacters = *m.DeniedEncodedPathCharacters
+						cp.DeniedEncodedPathCharacters = m.DeniedEncodedPathCharacters
 					}

 					if cp.Observability == nil {
--- a/pkg/server/router/deny.go
+++ b/pkg/server/router/deny.go
@ -2,29 +2,10 @@ package router

 import (
 	"net/http"
-	"strings"

 	"github.com/rs/zerolog/log"
 )

-// denyFragment rejects the request if the URL path contains a fragment (hash character).
-// When go receives an HTTP request, it assumes the absence of fragment URL.
-// However, it is still possible to send a fragment in the request.
-// In this case, Traefik will encode the '#' character, altering the request's intended meaning.
-// To avoid this behavior, the following function rejects requests that include a fragment in the URL.
-func denyFragment(h http.Handler) http.Handler {
-	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
-		if strings.Contains(req.URL.RawPath, "#") {
-			log.Debug().Msgf("Rejecting request because it contains a fragment in the URL path: %s", req.URL.RawPath)
-			rw.WriteHeader(http.StatusBadRequest)
-
-			return
-		}
-
-		h.ServeHTTP(rw, req)
-	})
-}
-
 // denyEncodedPathCharacters reject the request if the escaped path contains encoded characters in the given list.
 func denyEncodedPathCharacters(encodedCharacters map[string]struct{}, h http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
--- a/pkg/server/router/deny_test.go
+++ b/pkg/server/router/deny_test.go
@ -8,42 +8,6 @@ import (
 	"github.com/stretchr/testify/assert"
 )

-func Test_denyFragment(t *testing.T) {
-	tests := []struct {
-		name       string
-		url        string
-		wantStatus int
-	}{
-		{
-			name:       "Rejects fragment character",
-			url:        "http://example.com/#",
-			wantStatus: http.StatusBadRequest,
-		},
-		{
-			name:       "Allows without fragment",
-			url:        "http://example.com/",
-			wantStatus: http.StatusOK,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			t.Parallel()
-
-			handler := denyFragment(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				w.WriteHeader(http.StatusOK)
-			}))
-
-			req := httptest.NewRequest(http.MethodGet, test.url, nil)
-			res := httptest.NewRecorder()
-
-			handler.ServeHTTP(res, req)
-
-			assert.Equal(t, test.wantStatus, res.Code)
-		})
-	}
-}
-
 func Test_denyEncodedPathCharacters(t *testing.T) {
 	tests := []struct {
 		name       string
--- a/pkg/server/router/router.go
+++ b/pkg/server/router/router.go
@ -274,10 +274,7 @@ func (m *Manager) buildHTTPHandler(ctx context.Context, router *runtime.RouterIn

 	// Here we are adding deny handlers for encoded path characters and fragment.
 	// Deny handler are only added for root routers, child routers are protected by their parent router deny handlers.
-	if len(router.ParentRefs) == 0 {
-		chain = chain.Append(func(next http.Handler) (http.Handler, error) {
-			return denyFragment(next), nil
-		})
+	if len(router.ParentRefs) == 0 && router.DeniedEncodedPathCharacters != nil {
 		chain = chain.Append(func(next http.Handler) (http.Handler, error) {
 			return denyEncodedPathCharacters(router.DeniedEncodedPathCharacters.Map(), next), nil
 		})
--- a/pkg/server/router/router_test.go
+++ b/pkg/server/router/router_test.go
@ -1837,7 +1837,7 @@ func TestManager_BuildHandlers_Deny(t *testing.T) {
 					},
 				},
 			},
-			expectedStatusCode: http.StatusBadRequest,
+			expectedStatusCode: http.StatusOK,
 		},
 		{
 			desc:        "parent router with child routers, request with encoded slash",
@ -1860,18 +1860,18 @@ func TestManager_BuildHandlers_Deny(t *testing.T) {
 					},
 				},
 			},
-			expectedStatusCode: http.StatusBadRequest,
+			expectedStatusCode: http.StatusOK,
 		},
 		{
-			desc:        "parent router allowing encoded slash without child router",
+			desc:        "parent router disallowing encoded slash without child router",
 			requestPath: "/foo%2F",
 			routers: map[string]*dynamic.Router{
 				"parent": {
 					EntryPoints: []string{"web"},
 					Rule:        "PathPrefix(`/`)",
 					Service:     "service",
-					DeniedEncodedPathCharacters: dynamic.RouterDeniedEncodedPathCharacters{
-						AllowEncodedSlash: true,
+					DeniedEncodedPathCharacters: &dynamic.RouterDeniedEncodedPathCharacters{
+						AllowEncodedSlash: false,
 					},
 				},
 			},
@ -1882,17 +1882,17 @@ func TestManager_BuildHandlers_Deny(t *testing.T) {
 					},
 				},
 			},
-			expectedStatusCode: http.StatusOK,
+			expectedStatusCode: http.StatusBadRequest,
 		},
 		{
-			desc:        "parent router allowing encoded slash with child routers",
+			desc:        "parent router disallowing encoded slash with child routers",
 			requestPath: "/foo%2F",
 			routers: map[string]*dynamic.Router{
 				"parent": {
 					EntryPoints: []string{"web"},
 					Rule:        "PathPrefix(`/`)",
-					DeniedEncodedPathCharacters: dynamic.RouterDeniedEncodedPathCharacters{
-						AllowEncodedSlash: true,
+					DeniedEncodedPathCharacters: &dynamic.RouterDeniedEncodedPathCharacters{
+						AllowEncodedSlash: false,
 					},
 				},
 				"child1": {
@ -1908,48 +1908,6 @@ func TestManager_BuildHandlers_Deny(t *testing.T) {
 					},
 				},
 			},
-			expectedStatusCode: http.StatusOK,
-		},
-		{
-			desc:        "parent router without child routers, request with fragment",
-			requestPath: "/foo#",
-			routers: map[string]*dynamic.Router{
-				"parent": {
-					EntryPoints: []string{"web"},
-					Rule:        "PathPrefix(`/`)",
-					Service:     "service",
-				},
-			},
-			services: map[string]*dynamic.Service{
-				"service": {
-					LoadBalancer: &dynamic.ServersLoadBalancer{
-						Servers: []dynamic.Server{{URL: "http://localhost:8080"}},
-					},
-				},
-			},
-			expectedStatusCode: http.StatusBadRequest,
-		},
-		{
-			desc:        "parent router with child routers, request with fragment",
-			requestPath: "/foo#",
-			routers: map[string]*dynamic.Router{
-				"parent": {
-					EntryPoints: []string{"web"},
-					Rule:        "PathPrefix(`/`)",
-				},
-				"child1": {
-					Rule:       "Path(`/v1`)",
-					Service:    "child1-service",
-					ParentRefs: []string{"parent"},
-				},
-			},
-			services: map[string]*dynamic.Service{
-				"child1-service": {
-					LoadBalancer: &dynamic.ServersLoadBalancer{
-						Servers: []dynamic.Server{{URL: "http://localhost:8080"}},
-					},
-				},
-			},
 			expectedStatusCode: http.StatusBadRequest,
 		},
 	}
--- a/pkg/server/server_entrypoint_tcp.go
+++ b/pkg/server/server_entrypoint_tcp.go
@ -683,6 +683,8 @@ func newHTTPServer(ctx context.Context, ln net.Listener, configuration *static.E

 	handler = normalizePath(handler)

+	handler = denyFragment(handler)
+
 	serverHTTP := &http.Server{
 		Protocols:      &protocols,
 		Handler:        handler,
@ -765,6 +767,24 @@ func (t *trackedConnection) Close() error {
 	return t.WriteCloser.Close()
 }

+// denyFragment rejects the request if the URL path contains a fragment (hash character).
+// When go receives an HTTP request, it assumes the absence of fragment URL.
+// However, it is still possible to send a fragment in the request.
+// In this case, Traefik will encode the '#' character, altering the request's intended meaning.
+// To avoid this behavior, the following function rejects requests that include a fragment in the URL.
+func denyFragment(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		if strings.Contains(req.URL.RawPath, "#") {
+			log.Debug().Msgf("Rejecting request because it contains a fragment in the URL path: %s", req.URL.RawPath)
+			rw.WriteHeader(http.StatusBadRequest)
+
+			return
+		}
+
+		h.ServeHTTP(rw, req)
+	})
+}
+
 // This function is inspired by http.AllowQuerySemicolons.
 func encodeQuerySemicolons(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
--- a/pkg/server/server_entrypoint_tcp_test.go
+++ b/pkg/server/server_entrypoint_tcp_test.go
@ -387,6 +387,42 @@ func TestKeepAliveH2c(t *testing.T) {
 	require.Contains(t, err.Error(), "use of closed network connection")
 }

+func Test_denyFragment(t *testing.T) {
+	tests := []struct {
+		name       string
+		url        string
+		wantStatus int
+	}{
+		{
+			name:       "Rejects fragment character",
+			url:        "http://example.com/#",
+			wantStatus: http.StatusBadRequest,
+		},
+		{
+			name:       "Allows without fragment",
+			url:        "http://example.com/",
+			wantStatus: http.StatusOK,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			handler := denyFragment(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			}))
+
+			req := httptest.NewRequest(http.MethodGet, test.url, nil)
+			res := httptest.NewRecorder()
+
+			handler.ServeHTTP(res, req)
+
+			assert.Equal(t, test.wantStatus, res.Code)
+		})
+	}
+}
+
 func TestSanitizePath(t *testing.T) {
 	tests := []struct {
 		path     string