diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d8f14669..49f2596a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +## [v2.11.33](https://github.com/traefik/traefik/tree/v2.11.33) (2025-12-17) +[All Commits](https://github.com/traefik/traefik/compare/v2.11.32...v2.11.33) + +**Bug fixes:** +- **[server]** Print access logs for rejected requests and warn about new behavior ([#12426](https://github.com/traefik/traefik/pull/12426) by [rtribotte](https://github.com/rtribotte)) + +**Documentation:** +- Clarify doc about encoded characters rejection ([#12391](https://github.com/traefik/traefik/pull/12391) by [rtribotte](https://github.com/rtribotte)) +- Fix encoded characters entryPoint option documentation ([#12384](https://github.com/traefik/traefik/pull/12384) by [rtribotte](https://github.com/rtribotte)) +- Fix encoded characters option documentation ([#12373](https://github.com/traefik/traefik/pull/12373) by [kevinpollet](https://github.com/kevinpollet)) + ## [v3.6.5](https://github.com/traefik/traefik/tree/v3.6.5) (2025-12-16) [All Commits](https://github.com/traefik/traefik/compare/v3.6.4...v3.6.5) diff --git a/Dockerfile b/Dockerfile index 0e08e72da..f1e6b15e2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1.2 -FROM alpine:3.22 +FROM alpine:3.23 RUN apk add --no-cache --no-progress ca-certificates tzdata diff --git a/cmd/traefik/traefik.go b/cmd/traefik/traefik.go index 530e3a7bd..d49ee4651 100644 --- a/cmd/traefik/traefik.go +++ b/cmd/traefik/traefik.go @@ -99,7 +99,7 @@ func runCmd(staticConfiguration *static.Configuration) error { // Display warning to advertise for new behavior of rejecting encoded characters in the request path. // Deprecated: this has to be removed in the next minor/major version. - log.Warn().Msg("Starting with v3.6.3, Traefik now rejects some encoded characters in the request path by default. " + + log.Warn().Msg("Starting with v3.6.4, Traefik now rejects some encoded characters in the request path by default. " + "Refer to the documentation for more details: https://doc.traefik.io/traefik/migrate/v3/#encoded-characters-in-request-path") http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment diff --git a/docs/check.Dockerfile b/docs/check.Dockerfile index 2a03cf8af..d9593e5ed 100644 --- a/docs/check.Dockerfile +++ b/docs/check.Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.22 +FROM alpine:3.23 RUN apk --no-cache --no-progress add \ build-base \ diff --git a/docs/content/migrate/v3.md b/docs/content/migrate/v3.md index 0b1e100bf..46fc08ffd 100644 --- a/docs/content/migrate/v3.md +++ b/docs/content/migrate/v3.md @@ -559,7 +559,7 @@ The KubernetesIngressNGINX Provider is no longer experimental in v3.6.2 and can ### Encoded Characters in Request Path -Starting with `v3.6.3`, for security reasons, Traefik now rejects requests with a path containing a specific set of encoded characters by default. +Starting with `v3.6.4`, for security reasons, Traefik now rejects requests with a path containing a specific set of encoded characters by default. When such a request is received, Traefik responds with a `400 Bad Request` status code. diff --git a/docs/content/routing/entrypoints.md b/docs/content/routing/entrypoints.md index 48972b884..d69eb0d28 100644 --- a/docs/content/routing/entrypoints.md +++ b/docs/content/routing/entrypoints.md @@ -638,239 +638,6 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward --entryPoints.web.forwardedHeaders.connection=foobar ``` -### Encoded Characters - -You can configure Traefik to control the handling of encoded characters in request paths for security purposes. -By default, Traefik rejects requests containing certain encoded characters that could be used in path traversal or other security attacks. - -!!! warning "Security Considerations" - - Allowing certain encoded characters may expose your application to security vulnerabilities. - -??? info "`encodedCharacters.allowEncodedSlash`" - - _Optional, Default=false_ - - Controls whether requests with encoded slash characters (`%2F` or `%2f`) in the path are allowed. - - ```yaml tab="File (YAML)" - ## Static configuration - entryPoints: - web: - address: ":80" - http: - encodedCharacters: - allowEncodedSlash: true - ``` - - ```toml tab="File (TOML)" - ## Static configuration - [entryPoints] - [entryPoints.web] - address = ":80" - - [entryPoints.web.http.encodedCharacters] - allowEncodedSlash = true - ``` - - ```bash tab="CLI" - ## Static configuration - --entryPoints.web.address=:80 - --entryPoints.web.http.encodedCharacters.allowEncodedSlash=true - ``` - -??? info "`encodedCharacters.allowEncodedBackSlash`" - - _Optional, Default=false_ - - Controls whether requests with encoded back slash characters (`%5C` or `%5c`) in the path are allowed. - - ```yaml tab="File (YAML)" - ## Static configuration - entryPoints: - web: - address: ":80" - http: - encodedCharacters: - allowEncodedBackSlash: true - ``` - - ```toml tab="File (TOML)" - ## Static configuration - [entryPoints] - [entryPoints.web] - address = ":80" - - [entryPoints.web.http.encodedCharacters] - allowEncodedBackSlash = true - ``` - - ```bash tab="CLI" - ## Static configuration - --entryPoints.web.address=:80 - --entryPoints.web.http.encodedCharacters.allowEncodedBackSlash=true - ``` - -??? info "`encodedCharacters.allowEncodedNullCharacter`" - - _Optional, Default=false_ - - Controls whether requests with encoded null characters (`%00`) in the path are allowed. - - ```yaml tab="File (YAML)" - ## Static configuration - entryPoints: - web: - address: ":80" - http: - encodedCharacters: - allowEncodedNullCharacter: true - ``` - - ```toml tab="File (TOML)" - ## Static configuration - [entryPoints] - [entryPoints.web] - address = ":80" - - [entryPoints.web.http.encodedCharacters] - allowEncodedNullCharacter = true - ``` - - ```bash tab="CLI" - ## Static configuration - --entryPoints.web.address=:80 - --entryPoints.web.http.encodedCharacters.allowEncodedNullCharacter=true - ``` - -??? info "`encodedCharacters.allowEncodedSemicolon`" - - _Optional, Default=false_ - - Controls whether requests with encoded semicolon characters (`%3B` or `%3b`) in the path are allowed. - - ```yaml tab="File (YAML)" - ## Static configuration - entryPoints: - web: - address: ":80" - http: - encodedCharacters: - allowEncodedSemicolon: true - ``` - - ```toml tab="File (TOML)" - ## Static configuration - [entryPoints] - [entryPoints.web] - address = ":80" - - [entryPoints.web.http.encodedCharacters] - allowEncodedSemicolon = true - ``` - - ```bash tab="CLI" - ## Static configuration - --entryPoints.web.address=:80 - --entryPoints.web.http.encodedCharacters.allowEncodedSemicolon=true - ``` - -??? info "`encodedCharacters.allowEncodedPercent`" - - _Optional, Default=false_ - - Controls whether requests with encoded percent characters (`%25`) in the path are allowed. - - ```yaml tab="File (YAML)" - ## Static configuration - entryPoints: - web: - address: ":80" - http: - encodedCharacters: - allowEncodedPercent: true - ``` - - ```toml tab="File (TOML)" - ## Static configuration - [entryPoints] - [entryPoints.web] - address = ":80" - - [entryPoints.web.http.encodedCharacters] - allowEncodedPercent = true - ``` - - ```bash tab="CLI" - ## Static configuration - --entryPoints.web.address=:80 - --entryPoints.web.http.encodedCharacters.allowEncodedPercent=true - ``` - -??? info "`encodedCharacters.allowEncodedQuestionMark`" - - _Optional, Default=false_ - - Controls whether requests with encoded question mark characters (`%3F` or `%3f`) in the path are allowed. - - ```yaml tab="File (YAML)" - ## Static configuration - entryPoints: - web: - address: ":80" - http: - encodedCharacters: - allowEncodedQuestionMark: true - ``` - - ```toml tab="File (TOML)" - ## Static configuration - [entryPoints] - [entryPoints.web] - address = ":80" - - [entryPoints.web.http.encodedCharacters] - allowEncodedQuestionMark = true - ``` - - ```bash tab="CLI" - ## Static configuration - --entryPoints.web.address=:80 - --entryPoints.web.http.encodedCharacters.allowEncodedQuestionMark=true - ``` - -??? info "`encodedCharacters.allowEncodedHash`" - - _Optional, Default=false_ - - Controls whether requests with encoded hash characters (`%23`) in the path are allowed. - - ```yaml tab="File (YAML)" - ## Static configuration - entryPoints: - web: - address: ":80" - http: - encodedCharacters: - allowEncodedHash: true - ``` - - ```toml tab="File (TOML)" - ## Static configuration - [entryPoints] - [entryPoints.web] - address = ":80" - - [entryPoints.web.http.encodedCharacters] - allowEncodedHash = true - ``` - - ```bash tab="CLI" - ## Static configuration - --entryPoints.web.address=:80 - --entryPoints.web.http.encodedCharacters.allowEncodedHash=true - ``` - ### Transport #### `respondingTimeouts` @@ -1410,6 +1177,244 @@ entryPoints: | false | foo=bar&baz=bar;foo | foo=bar&baz=bar&foo | | true | foo=bar&baz=bar;foo | foo=bar&baz=bar%3Bfoo | +### Encoded Characters + +You can configure Traefik to control the handling of encoded characters in request paths for security purposes. +By default, Traefik rejects requests with path containing certain encoded characters that could be used in path traversal or other security attacks. + +!!! info + + This check is not done against the request query parameters, + but only against the request path as defined in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3). + +!!! warning "Security Considerations" + + Allowing certain encoded characters may expose your application to security vulnerabilities. + +??? info "`encodedCharacters.allowEncodedSlash`" + + _Optional, Default=false_ + + Controls whether requests with encoded slash characters (`%2F` or `%2f`) in the path are allowed. + + ```yaml tab="File (YAML)" + ## Static configuration + entryPoints: + web: + address: ":80" + http: + encodedCharacters: + allowEncodedSlash: true + ``` + + ```toml tab="File (TOML)" + ## Static configuration + [entryPoints] + [entryPoints.web] + address = ":80" + + [entryPoints.web.http.encodedCharacters] + allowEncodedSlash = true + ``` + + ```bash tab="CLI" + ## Static configuration + --entryPoints.web.address=:80 + --entryPoints.web.http.encodedCharacters.allowEncodedSlash=true + ``` + +??? info "`encodedCharacters.allowEncodedBackSlash`" + + _Optional, Default=false_ + + Controls whether requests with encoded back slash characters (`%5C` or `%5c`) in the path are allowed. + + ```yaml tab="File (YAML)" + ## Static configuration + entryPoints: + web: + address: ":80" + http: + encodedCharacters: + allowEncodedBackSlash: true + ``` + + ```toml tab="File (TOML)" + ## Static configuration + [entryPoints] + [entryPoints.web] + address = ":80" + + [entryPoints.web.http.encodedCharacters] + allowEncodedBackSlash = true + ``` + + ```bash tab="CLI" + ## Static configuration + --entryPoints.web.address=:80 + --entryPoints.web.http.encodedCharacters.allowEncodedBackSlash=true + ``` + +??? info "`encodedCharacters.allowEncodedNullCharacter`" + + _Optional, Default=false_ + + Controls whether requests with encoded null characters (`%00`) in the path are allowed. + + ```yaml tab="File (YAML)" + ## Static configuration + entryPoints: + web: + address: ":80" + http: + encodedCharacters: + allowEncodedNullCharacter: true + ``` + + ```toml tab="File (TOML)" + ## Static configuration + [entryPoints] + [entryPoints.web] + address = ":80" + + [entryPoints.web.http.encodedCharacters] + allowEncodedNullCharacter = true + ``` + + ```bash tab="CLI" + ## Static configuration + --entryPoints.web.address=:80 + --entryPoints.web.http.encodedCharacters.allowEncodedNullCharacter=true + ``` + +??? info "`encodedCharacters.allowEncodedSemicolon`" + + _Optional, Default=false_ + + Controls whether requests with encoded semicolon characters (`%3B` or `%3b`) in the path are allowed. + + ```yaml tab="File (YAML)" + ## Static configuration + entryPoints: + web: + address: ":80" + http: + encodedCharacters: + allowEncodedSemicolon: true + ``` + + ```toml tab="File (TOML)" + ## Static configuration + [entryPoints] + [entryPoints.web] + address = ":80" + + [entryPoints.web.http.encodedCharacters] + allowEncodedSemicolon = true + ``` + + ```bash tab="CLI" + ## Static configuration + --entryPoints.web.address=:80 + --entryPoints.web.http.encodedCharacters.allowEncodedSemicolon=true + ``` + +??? info "`encodedCharacters.allowEncodedPercent`" + + _Optional, Default=false_ + + Controls whether requests with encoded percent characters (`%25`) in the path are allowed. + + ```yaml tab="File (YAML)" + ## Static configuration + entryPoints: + web: + address: ":80" + http: + encodedCharacters: + allowEncodedPercent: true + ``` + + ```toml tab="File (TOML)" + ## Static configuration + [entryPoints] + [entryPoints.web] + address = ":80" + + [entryPoints.web.http.encodedCharacters] + allowEncodedPercent = true + ``` + + ```bash tab="CLI" + ## Static configuration + --entryPoints.web.address=:80 + --entryPoints.web.http.encodedCharacters.allowEncodedPercent=true + ``` + +??? info "`encodedCharacters.allowEncodedQuestionMark`" + + _Optional, Default=false_ + + Controls whether requests with encoded question mark characters (`%3F` or `%3f`) in the path are allowed. + + ```yaml tab="File (YAML)" + ## Static configuration + entryPoints: + web: + address: ":80" + http: + encodedCharacters: + allowEncodedQuestionMark: true + ``` + + ```toml tab="File (TOML)" + ## Static configuration + [entryPoints] + [entryPoints.web] + address = ":80" + + [entryPoints.web.http.encodedCharacters] + allowEncodedQuestionMark = true + ``` + + ```bash tab="CLI" + ## Static configuration + --entryPoints.web.address=:80 + --entryPoints.web.http.encodedCharacters.allowEncodedQuestionMark=true + ``` + +??? info "`encodedCharacters.allowEncodedHash`" + + _Optional, Default=false_ + + Controls whether requests with encoded hash characters (`%23`) in the path are allowed. + + ```yaml tab="File (YAML)" + ## Static configuration + entryPoints: + web: + address: ":80" + http: + encodedCharacters: + allowEncodedHash: true + ``` + + ```toml tab="File (TOML)" + ## Static configuration + [entryPoints] + [entryPoints.web] + address = ":80" + + [entryPoints.web.http.encodedCharacters] + allowEncodedHash = true + ``` + + ```bash tab="CLI" + ## Static configuration + --entryPoints.web.address=:80 + --entryPoints.web.http.encodedCharacters.allowEncodedHash=true + ``` + ### SanitizePath _Optional, Default=true_ diff --git a/docs/docs.Dockerfile b/docs/docs.Dockerfile index 99e963cf4..bd9886863 100644 --- a/docs/docs.Dockerfile +++ b/docs/docs.Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.22 +FROM alpine:3.23 ENV PATH="${PATH}:/venv/bin" diff --git a/integration/simple_test.go b/integration/simple_test.go index 2a19c165d..f344719cf 100644 --- a/integration/simple_test.go +++ b/integration/simple_test.go @@ -1695,8 +1695,7 @@ func (s *SimpleSuite) TestDenyFragment() { s.composeUp() defer s.composeDown() - file := s.adaptFile("fixtures/simple_deny.toml", struct{}{}) - _, _ = s.cmdTraefik(withConfigFile(file)) + s.traefikCmd(withConfigFile(s.adaptFile("fixtures/simple_deny.toml", struct{}{}))) err := try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`deny.localhost`)")) require.NoError(s.T(), err) diff --git a/webui/.nvmrc b/webui/.nvmrc index 26600046d..0a492611a 100644 --- a/webui/.nvmrc +++ b/webui/.nvmrc @@ -1 +1 @@ -v22.15.1 +24.11.0 diff --git a/webui/buildx.Dockerfile b/webui/buildx.Dockerfile index 09b65ab81..4d64776fd 100644 --- a/webui/buildx.Dockerfile +++ b/webui/buildx.Dockerfile @@ -1,4 +1,4 @@ -FROM node:22.15.1-alpine3.20 +FROM node:24-alpine3.22 ENV WEBUI_DIR=/src/webui RUN mkdir -p $WEBUI_DIR