diff options
author | Matthew Holt <[email protected]> | 2017-10-08 22:19:35 -0600 |
---|---|---|
committer | Matthew Holt <[email protected]> | 2017-10-08 22:19:35 -0600 |
commit | b0d9c058cc72183d5204f648459f6f77953a5a77 (patch) | |
tree | 479f28c0fc71893d8d1b3543ea4458c17963cf27 | |
parent | cccfe3b4efb45b443dcbef9ab26a4ec4ffb46eab (diff) | |
download | caddy-b0d9c058cc72183d5204f648459f6f77953a5a77.tar.gz caddy-b0d9c058cc72183d5204f648459f6f77953a5a77.zip |
Change CASE_SENSITIVE_PATH default to false
A default of true is risky when protecting assets by matching base path.
It's not obvious that protecting /foo/ will allow /Foo/ through, and if
accessing static files on a case-insensitive file system... that's no
good. So the default is now to be case-INsensitive when matching paths.
-rw-r--r-- | caddyhttp/httpserver/middleware.go | 8 | ||||
-rw-r--r-- | caddyhttp/httpserver/middleware_test.go | 2 |
2 files changed, 5 insertions, 5 deletions
diff --git a/caddyhttp/httpserver/middleware.go b/caddyhttp/httpserver/middleware.go index c54246659..a754e77ce 100644 --- a/caddyhttp/httpserver/middleware.go +++ b/caddyhttp/httpserver/middleware.go @@ -158,7 +158,7 @@ func SetLastModifiedHeader(w http.ResponseWriter, modTime time.Time) { // CaseSensitivePath determines if paths should be case sensitive. // This is configurable via CASE_SENSITIVE_PATH environment variable. -var CaseSensitivePath = true +var CaseSensitivePath = false const caseSensitivePathEnv = "CASE_SENSITIVE_PATH" @@ -167,10 +167,10 @@ const caseSensitivePathEnv = "CASE_SENSITIVE_PATH" // This could have been in init, but init cannot be called from tests. func initCaseSettings() { switch os.Getenv(caseSensitivePathEnv) { - case "0", "false": - CaseSensitivePath = false - default: + case "1", "true": CaseSensitivePath = true + default: + CaseSensitivePath = false } } diff --git a/caddyhttp/httpserver/middleware_test.go b/caddyhttp/httpserver/middleware_test.go index b8b73e144..19638ca48 100644 --- a/caddyhttp/httpserver/middleware_test.go +++ b/caddyhttp/httpserver/middleware_test.go @@ -59,7 +59,7 @@ func TestPathCaseSensitiveEnv(t *testing.T) { {"0", false}, {"false", false}, {"true", true}, - {"", true}, + {"", false}, } for i, test := range tests { |