diff --git a/doc/configuration.txt b/doc/configuration.txt index e39db29b4..f2124db95 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -18726,11 +18726,18 @@ pass-header [ { if | unless } ] the FastCGI application because they are already converted into parameters. path-info - Define a regular expression to extract the script-name and the path-info - from the URI. Thus, should have two captures: the first one to - capture the script name and the second one to capture the path-info. It is an - optional setting. If it is not defined, no matching is performed on the - URI. and the FastCGI parameters PATH_INFO and PATH_TRANSLATED are not filled. + Define a regular expression to extract the script-name and the path-info from + the URL-decoded path. Thus, should have two captures: the first one + to capture the script name and the second one to capture the path-info. It is + an optional setting. If it is not defined, no matching is performed on the + path. and the FastCGI parameters PATH_INFO and PATH_TRANSLATED are not filled. + + For security reason, when this regular expression is defined, the newline and + the null characters are forbiden from the path, once URL-decoded. The reason + to such limitation is because otherwise the matching always fails (due to a + limitation one the way regular expression are executed in HAProxy). So if one + of these two characters is found in the URL-decoded path, an error is + returned to the client. The principle of least astonishment is applied here. Example : path-info ^(/.+\.php)(/.*)?$ diff --git a/src/mux_fcgi.c b/src/mux_fcgi.c index 38c2bfd64..12d29d686 100644 --- a/src/mux_fcgi.c +++ b/src/mux_fcgi.c @@ -1345,6 +1345,15 @@ static int fcgi_set_default_param(struct fcgi_conn *fconn, struct fcgi_strm *fst if (!fconn->app->pathinfo_re) goto check_index; + /* If some special characters are found in the decoded path (\n + * or \0), the PATH_INFO regex cannot match. This is theorically + * valid, but probably unexpected, to have such characters. So, + * to avoid any suprises, an error is triggered in this + * case. + */ + if (istchr(path, '\n') || istchr(path, '\0')) + goto error; + /* The regex does not match, just to the last part and see if * the index must be used. */