Skip to content

Support http.AllowQuerySemicolons #2076

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Support http.AllowQuerySemicolons #2076

wants to merge 2 commits into from

Conversation

MickMake
Copy link
Contributor

@MickMake MickMake commented Apr 4, 2023

Description

Provide support for using semicolons in query strings. This adds a new bool flag --allow-query-semicolons.

Motivation and Context

See Issue #1841

How Has This Been Tested?

Tested against OTRS, (the original requester was using this ticket system).

Checklist:

  • My change requires a change to the documentation or CHANGELOG.
  • I have updated the documentation/CHANGELOG accordingly.
  • I have created a feature (non-master) branch for my PR.

@MickMake MickMake requested a review from a team as a code owner April 4, 2023 19:00
@MickMake MickMake mentioned this pull request Apr 4, 2023
Closed
JoelSpeed
JoelSpeed reviewed Apr 7, 2023
View reviewed changes
Copy link
Member

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the current behaviour when you have a semi colon in the query string? I'm wondering what the pros/cons are for making this opt-in rather than just enabling it globally, any thoughts?

oauthproxy.go
@@ -269,6 +271,11 @@ func (p *OAuthProxy) setupServer(opts *options.Options) error {
TLS: opts.Server.TLS,
}

// Option: AllowQuerySemicolons
if opts.AllowQuerySemicolons {
serverOpts.Handler = http.AllowQuerySemicolons(p)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To make this a little more futureproof/obvious you are just adding a wrapper, perhaps you should pass in serverOpts.Handler instead of p?

Is this the right place to do this anyway? We have a number of HTTP handler chains being set up anyway, have you considered adding it into that instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can possibly be done there as well, depends on your preference - If you prefer it to be contained in a chain, let me know and I can re-submit the pull.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I think lets change it to chain and then in theory we don't need to update it later if someone injects additional handlers into this chain

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JoelSpeed I'm not sure @MickMake is going to get back to this as he was working on it for us at the time. While I can make the initial change suggestion (passing serverOpts.Handler instead of p), I'm not sure where the chain changes should be made. Can you point me to where the chain of HTTP Handlers are so I can try and update this PR in the desired style?

@github-actions
Copy link
Contributor

github-actions bot commented Jun 7, 2023

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

@github-actions github-actions bot added the Stale label Jun 7, 2023
@github-actions github-actions bot closed this Jun 15, 2023
@timwsuqld
Copy link
Contributor

@JoelSpeed the current behavior causes issues with software that uses ; has a query parameter separator. golang.org/issue/25192 (and some other places online) believe that this is a security issue as proxies and the backend software treat the ; differently, which can cause strange behaviour or security issues. For this reason, we should only be enabling https://pkg.go.dev/net/http#AllowQuerySemicolons when the backend software requires ; has a query separator, hence why this should be a flag and not enabled by default. Enabling by default will take us back to the functioning pre-Go 1.17 behavior.

@MickMake
Copy link
Contributor Author

MickMake commented Jul 9, 2023

Hi @JoelSpeed,
As Tim said, we've had some issues with this on our proxy.
Instead of enabling this globally, I think the default behaviour with an 'opt-in' is preferable - it only affects certain setups, so kinda makes sense to not have it as default.

JoelSpeed
JoelSpeed reviewed Sep 22, 2023
View reviewed changes
Copy link
Member

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies I let this one lapse, I think with a couple of fixups this should be pretty good to go, if you still want to get this through @MickMake please reopen and then make the fixups

oauthproxy.go
@@ -269,6 +271,11 @@ func (p *OAuthProxy) setupServer(opts *options.Options) error {
TLS: opts.Server.TLS,
}

// Option: AllowQuerySemicolons
if opts.AllowQuerySemicolons {
serverOpts.Handler = http.AllowQuerySemicolons(p)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I think lets change it to chain and then in theory we don't need to update it later if someone injects additional handlers into this chain

@timwsuqld timwsuqld mentioned this pull request Sep 26, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JoelSpeed JoelSpeed JoelSpeed left review comments

+1 more reviewer

@timwsuqld timwsuqld timwsuqld left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MickMake @timwsuqld @JoelSpeed