-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Malformed URL causes Internal Server Error with HTTP Response 500 instead of HTTP Response 403 #6544
Comments
Ideally, we need to be able to reproduce the bug in the most minimal way possible. This allows us to write regression tests to verify the fix is working. If we can't reproduce it, then you'll have to test our changes for us until it's fixed -- and then we can't add test cases, either. I've attached a template below that will help make this easier and faster! This will require some effort on your part -- please understand that we will be dedicating time to fix the bug you are reporting if you can just help us understand it and reproduce it easily. This template will ask for some information you've already provided; that's OK, just fill it out the best you can. 👍 I've also included some helpful tips below the template. Feel free to let me know if you have any questions! Thank you again for your report, we look forward to resolving it! Template
Helpful tips
Example of a tutorial: Create a config file: |
Hey , I would like to take this up , can you assign it to me |
What is your plan @mohdammar128 ? I'm not sure we fully understand what is being asked here. |
Dear Caddy Team,
Context:
Running Caddy as a service (systemd)
Caddy version: v2.8.4
As expected, Caddy returns HTTP 403 when someone tries to navigate non-existing resource:
e.g. https://example.com/idonotexist/ Also, Caddy do NOT log any internal errors for this.
However, Caddy returns HTTP 500 (internal server error) and also log internal error when someone visit caddy service with malformed URL e.g. https://example.com/idonotexist///google%00.com
Internal error is logged with message like "open /<<caddy_root_dir>>/idonotexist/google\u0000.com: invalid argument"
Could Caddy build be hardened (OR be configured with some rules) to reject (with HTTP 403) such malformed URLs before trying to process such requests?
Thank you for your kind attention.
The text was updated successfully, but these errors were encountered: