From 087425a1be4cb5bb39a6770f20cc577053a27d25 Mon Sep 17 00:00:00 2001 From: mister-turtle <50653342+mister-turtle@users.noreply.github.com> Date: Fri, 13 Sep 2024 07:52:09 +0100 Subject: [PATCH 1/2] avoid OOB slice access in parseCaddyfileURI when invalid config All cases for args[0] require additional arguments present in the slice so doing the bounds check here covers all cases. Cases requiring additional parameters already include additional checks on the len(args) --- modules/caddyhttp/rewrite/caddyfile.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/caddyhttp/rewrite/caddyfile.go b/modules/caddyhttp/rewrite/caddyfile.go index 0ce5c41d217..3c15bc263c5 100644 --- a/modules/caddyhttp/rewrite/caddyfile.go +++ b/modules/caddyhttp/rewrite/caddyfile.go @@ -98,7 +98,7 @@ func parseCaddyfileURI(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler, err h.Next() // consume directive name args := h.RemainingArgs() - if len(args) < 1 { + if len(args) <= 1 { return nil, h.ArgErr() } From bb0d17fc4a7fb54122763e41ac77ac9d751ef974 Mon Sep 17 00:00:00 2001 From: mister-turtle <50653342+mister-turtle@users.noreply.github.com> Date: Fri, 13 Sep 2024 08:07:27 +0100 Subject: [PATCH 2/2] Changed to bounds checks on strip_prefix and strip_suffix, other cases already seem to have bounds checks in place. --- modules/caddyhttp/rewrite/caddyfile.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/caddyhttp/rewrite/caddyfile.go b/modules/caddyhttp/rewrite/caddyfile.go index 3c15bc263c5..89f44c79bf3 100644 --- a/modules/caddyhttp/rewrite/caddyfile.go +++ b/modules/caddyhttp/rewrite/caddyfile.go @@ -98,7 +98,7 @@ func parseCaddyfileURI(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler, err h.Next() // consume directive name args := h.RemainingArgs() - if len(args) <= 1 { + if len(args) < 1 { return nil, h.ArgErr() } @@ -106,7 +106,7 @@ func parseCaddyfileURI(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler, err switch args[0] { case "strip_prefix": - if len(args) > 2 { + if len(args) != 2 { return nil, h.ArgErr() } rewr.StripPathPrefix = args[1] @@ -115,7 +115,7 @@ func parseCaddyfileURI(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler, err } case "strip_suffix": - if len(args) > 2 { + if len(args) != 2 { return nil, h.ArgErr() } rewr.StripPathSuffix = args[1]