From 5a4374bea055c49c9c38b6a7d41e43742c137341 Mon Sep 17 00:00:00 2001 From: Francis Lavoie Date: Wed, 6 Mar 2024 00:51:26 -0500 Subject: fileserver: Preserve query during canonicalization redirect (#6109) * fileserver: Preserve query during canonicalization redirect * Clarify that only a path should be passed --- modules/caddyhttp/fileserver/staticfiles.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/modules/caddyhttp/fileserver/staticfiles.go b/modules/caddyhttp/fileserver/staticfiles.go index 1f0b6a5e4..57d1bc851 100644 --- a/modules/caddyhttp/fileserver/staticfiles.go +++ b/modules/caddyhttp/fileserver/staticfiles.go @@ -639,12 +639,18 @@ func calculateEtag(d os.FileInfo) string { return `"` + t + s + `"` } -func redirect(w http.ResponseWriter, r *http.Request, to string) error { - for strings.HasPrefix(to, "//") { +// redirect performs a redirect to a given path. The 'toPath' parameter +// MUST be solely a path, and MUST NOT include a query. +func redirect(w http.ResponseWriter, r *http.Request, toPath string) error { + for strings.HasPrefix(toPath, "//") { // prevent path-based open redirects - to = strings.TrimPrefix(to, "/") + toPath = strings.TrimPrefix(toPath, "/") } - http.Redirect(w, r, to, http.StatusPermanentRedirect) + // preserve the query string if present + if r.URL.RawQuery != "" { + toPath += "?" + r.URL.RawQuery + } + http.Redirect(w, r, toPath, http.StatusPermanentRedirect) return nil } -- cgit v1.2.3