Merge branch v2.11 into v3.3

2025-04-17 15:57:52 +02:00 · 2025-04-17 15:57:52 +02:00 · f6fb240eb6
commit f6fb240eb6
parent fd0fd39642 a75b2384ea
44 changed files with 940 additions and 597 deletions
--- a/docs/content/migration/v3.md
+++ b/docs/content/migration/v3.md
@ -197,3 +197,21 @@ This change helps the algorithm selection to favor the `gzip` algorithm over the

 It impacts requests that do not specify their preferred algorithm,
 or has no order preference, in the `Accept-Encoding` header.
+
+## v3.3.6
+
+### Request Path Sanitization
+
+Since `v3.3.6`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
+Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
+
+If you want to disable this behavior, you can set the [`sanitizePath` option](../reference/install-configuration/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
+This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
+For example, as base64 uses the “/” character internally,
+if it's not url encoded,
+it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
+
+!!! warning "Security"
+
+    Setting the `sanitizePath` option to `false` is not safe.
+    Ensure every request is properly url encoded instead.