dots in param break routing?
daschl opened this issue · comments
Hi folks,
I have a routing to /node/:hostname
. Now if I go to /node/foobar
it routes fine, if it includes one dot like /node/foo.bar/
it also works but as soon as there is a second dot there like /node/foo..bar
or /node/foo.bar.
I get routed to the 404 Not Found.
Is this expected? I'm asking because actually I need to get an ip address as a param which has 3 dots :)
I just discovered the same issue.
server.get("/lookup/:domain", middleware! { |req|
// These unwraps are safe because they are required parts of the route
let domain = req.param("domain").unwrap();
domain
});
If the parameter contains a dot the parameter is truncated at the dot. For example /lookup/test.com
would result in the domain param containing "test" instead of the expected "test.com"
It looks like the issue is in /src/router/into_matcher.rs as a dot (.) is valid within a parameter.
I came across the same issue, when my Options::Preflight middleware did not handle some more complex routes.
As far as I noticed, the same issue happens, when there are pipes (|
) in the url. (Sorry, if the pipe looks like a butt. But hey, it's friday. 🚶♂️)
I tried to look into resolving this but it appears that the behavior was deliberate as there are tests in place for the current (broken) behavior. I believe that you can use regular expressions to create your routes and it should work though.
My friend has the same issue.
it appears that the behavior was deliberate
Guess: protection against directory traversal attacks?
I believe the directory traversal protection is correct. The regular expression approach above can be used as a work around for more complex matching cases. I've created #437 to create a Regex example.
Isn't disallowing only ^..$|^../|/..$|/../
the correct way to implement protection against directory traversal attacks?