Hi folks,

I have a routing to /node/:hostname. Now if I go to /node/foobar it routes fine, if it includes one dot like /node/foo.bar/ it also works but as soon as there is a second dot there like /node/foo..bar or /node/foo.bar. I get routed to the 404 Not Found.

Is this expected? I'm asking because actually I need to get an ip address as a param which has 3 dots :)

I just discovered the same issue.

server.get("/lookup/:domain", middleware! { |req|
// These unwraps are safe because they are required parts of the route
let domain = req.param("domain").unwrap();
domain
});

If the parameter contains a dot the parameter is truncated at the dot. For example /lookup/test.com

would result in the domain param containing "test" instead of the expected "test.com"

It looks like the issue is in /src/router/into_matcher.rs as a dot (.) is valid within a parameter.

I came across the same issue, when my Options::Preflight middleware did not handle some more complex routes.
As far as I noticed, the same issue happens, when there are pipes (|) in the url. (Sorry, if the pipe looks like a butt. But hey, it's friday. 🚶‍♂️)

I tried to look into resolving this but it appears that the behavior was deliberate as there are tests in place for the current (broken) behavior. I believe that you can use regular expressions to create your routes and it should work though.

My friend has the same issue.

it appears that the behavior was deliberate

Guess: protection against directory traversal attacks?

I believe the directory traversal protection is correct. The regular expression approach above can be used as a work around for more complex matching cases. I've created #437 to create a Regex example.

Isn't disallowing only ^..$|^../|/..$|/../ the correct way to implement protection against directory traversal attacks?