Merge branch v2.11 into v3.6

docs/content/migrate/v3.md

@@ -559,7 +559,7 @@ The KubernetesIngressNGINX Provider is no longer experimental in v3.6.2 and can
 
 ### Encoded Characters in Request Path
 
-Starting with `v3.6.3`, for security reasons, Traefik now rejects requests with a path containing a specific set of encoded characters by default.
+Starting with `v3.6.4`, for security reasons, Traefik now rejects requests with a path containing a specific set of encoded characters by default.
 
 When such a request is received, Traefik responds with a `400 Bad Request` status code.
 

docs/content/routing/entrypoints.md

@@ -638,239 +638,6 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
     --entryPoints.web.forwardedHeaders.connection=foobar
     ```
 
-### Encoded Characters
-
-You can configure Traefik to control the handling of encoded characters in request paths for security purposes.
-By default, Traefik rejects requests containing certain encoded characters that could be used in path traversal or other security attacks.
-
-!!! warning "Security Considerations"
-
-    Allowing certain encoded characters may expose your application to security vulnerabilities.
-
-??? info "`encodedCharacters.allowEncodedSlash`"
-
-    _Optional, Default=false_
-
-    Controls whether requests with encoded slash characters (`%2F` or `%2f`) in the path are allowed.
-
-    ```yaml tab="File (YAML)"
-    ## Static configuration
-    entryPoints:
-      web:
-        address: ":80"
-        http:
-          encodedCharacters:
-            allowEncodedSlash: true
-    ```
-
-    ```toml tab="File (TOML)"
-    ## Static configuration
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-
-        [entryPoints.web.http.encodedCharacters]
-          allowEncodedSlash = true
-    ```
-
-    ```bash tab="CLI"
-    ## Static configuration
-    --entryPoints.web.address=:80
-    --entryPoints.web.http.encodedCharacters.allowEncodedSlash=true
-    ```
-
-??? info "`encodedCharacters.allowEncodedBackSlash`"
-
-    _Optional, Default=false_
-
-    Controls whether requests with encoded back slash characters (`%5C` or `%5c`) in the path are allowed.
-
-    ```yaml tab="File (YAML)"
-    ## Static configuration
-    entryPoints:
-      web:
-        address: ":80"
-        http:
-          encodedCharacters:
-            allowEncodedBackSlash: true
-    ```
-
-    ```toml tab="File (TOML)"
-    ## Static configuration
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-
-        [entryPoints.web.http.encodedCharacters]
-          allowEncodedBackSlash = true
-    ```
-
-    ```bash tab="CLI"
-    ## Static configuration
-    --entryPoints.web.address=:80
-    --entryPoints.web.http.encodedCharacters.allowEncodedBackSlash=true
-    ```
-
-??? info "`encodedCharacters.allowEncodedNullCharacter`"
-
-    _Optional, Default=false_
-
-    Controls whether requests with encoded null characters (`%00`) in the path are allowed.
-
-    ```yaml tab="File (YAML)"
-    ## Static configuration
-    entryPoints:
-      web:
-        address: ":80"
-        http:
-          encodedCharacters:
-            allowEncodedNullCharacter: true
-    ```
-
-    ```toml tab="File (TOML)"
-    ## Static configuration
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-
-        [entryPoints.web.http.encodedCharacters]
-          allowEncodedNullCharacter = true
-    ```
-
-    ```bash tab="CLI"
-    ## Static configuration
-    --entryPoints.web.address=:80
-    --entryPoints.web.http.encodedCharacters.allowEncodedNullCharacter=true
-    ```
-
-??? info "`encodedCharacters.allowEncodedSemicolon`"
-
-    _Optional, Default=false_
-
-    Controls whether requests with encoded semicolon characters (`%3B` or `%3b`) in the path are allowed.
-
-    ```yaml tab="File (YAML)"
-    ## Static configuration
-    entryPoints:
-      web:
-        address: ":80"
-        http:
-          encodedCharacters:
-            allowEncodedSemicolon: true
-    ```
-
-    ```toml tab="File (TOML)"
-    ## Static configuration
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-
-        [entryPoints.web.http.encodedCharacters]
-          allowEncodedSemicolon = true
-    ```
-
-    ```bash tab="CLI"
-    ## Static configuration
-    --entryPoints.web.address=:80
-    --entryPoints.web.http.encodedCharacters.allowEncodedSemicolon=true
-    ```
-
-??? info "`encodedCharacters.allowEncodedPercent`"
-
-    _Optional, Default=false_
-
-    Controls whether requests with encoded percent characters (`%25`) in the path are allowed.
-
-    ```yaml tab="File (YAML)"
-    ## Static configuration
-    entryPoints:
-      web:
-        address: ":80"
-        http:
-          encodedCharacters:
-            allowEncodedPercent: true
-    ```
-
-    ```toml tab="File (TOML)"
-    ## Static configuration
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-
-        [entryPoints.web.http.encodedCharacters]
-          allowEncodedPercent = true
-    ```
-
-    ```bash tab="CLI"
-    ## Static configuration
-    --entryPoints.web.address=:80
-    --entryPoints.web.http.encodedCharacters.allowEncodedPercent=true
-    ```
-
-??? info "`encodedCharacters.allowEncodedQuestionMark`"
-
-    _Optional, Default=false_
-
-    Controls whether requests with encoded question mark characters (`%3F` or `%3f`) in the path are allowed.
-
-    ```yaml tab="File (YAML)"
-    ## Static configuration
-    entryPoints:
-      web:
-        address: ":80"
-        http:
-          encodedCharacters:
-            allowEncodedQuestionMark: true
-    ```
-
-    ```toml tab="File (TOML)"
-    ## Static configuration
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-
-        [entryPoints.web.http.encodedCharacters]
-          allowEncodedQuestionMark = true
-    ```
-
-    ```bash tab="CLI"
-    ## Static configuration
-    --entryPoints.web.address=:80
-    --entryPoints.web.http.encodedCharacters.allowEncodedQuestionMark=true
-    ```
-
-??? info "`encodedCharacters.allowEncodedHash`"
-
-    _Optional, Default=false_
-
-    Controls whether requests with encoded hash characters (`%23`) in the path are allowed.
-
-    ```yaml tab="File (YAML)"
-    ## Static configuration
-    entryPoints:
-      web:
-        address: ":80"
-        http:
-          encodedCharacters:
-            allowEncodedHash: true
-    ```
-
-    ```toml tab="File (TOML)"
-    ## Static configuration
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-
-        [entryPoints.web.http.encodedCharacters]
-          allowEncodedHash = true
-    ```
-
-    ```bash tab="CLI"
-    ## Static configuration
-    --entryPoints.web.address=:80
-    --entryPoints.web.http.encodedCharacters.allowEncodedHash=true
-    ```
-
 ### Transport
 
 #### `respondingTimeouts`
@@ -1410,6 +1177,244 @@ entryPoints:
 | false                 | foo=bar&baz=bar;foo | foo=bar&baz=bar&foo     |
 | true                  | foo=bar&baz=bar;foo | foo=bar&baz=bar%3Bfoo   |
 
+### Encoded Characters
+
+You can configure Traefik to control the handling of encoded characters in request paths for security purposes.
+By default, Traefik rejects requests with path containing certain encoded characters that could be used in path traversal or other security attacks.
+
+!!! info 
+    
+    This check is not done against the request query parameters,
+    but only against the request path as defined in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
+
+!!! warning "Security Considerations"
+
+    Allowing certain encoded characters may expose your application to security vulnerabilities.
+
+??? info "`encodedCharacters.allowEncodedSlash`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded slash characters (`%2F` or `%2f`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:
+          encodedCharacters:
+            allowEncodedSlash: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedSlash = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedSlash=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedBackSlash`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded back slash characters (`%5C` or `%5c`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:
+          encodedCharacters:
+            allowEncodedBackSlash: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedBackSlash = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedBackSlash=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedNullCharacter`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded null characters (`%00`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:
+          encodedCharacters:
+            allowEncodedNullCharacter: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedNullCharacter = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedNullCharacter=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedSemicolon`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded semicolon characters (`%3B` or `%3b`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:
+          encodedCharacters:
+            allowEncodedSemicolon: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedSemicolon = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedSemicolon=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedPercent`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded percent characters (`%25`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:
+          encodedCharacters:
+            allowEncodedPercent: true   
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedPercent = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedPercent=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedQuestionMark`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded question mark characters (`%3F` or `%3f`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:
+          encodedCharacters:
+            allowEncodedQuestionMark: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedQuestionMark = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedQuestionMark=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedHash`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded hash characters (`%23`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        http:    
+          encodedCharacters:
+            allowEncodedHash: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.http.encodedCharacters]
+          allowEncodedHash = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.encodedCharacters.allowEncodedHash=true
+    ```
+
 ### SanitizePath
 
 _Optional, Default=true_