Skip to content

An unmatched URL got routed accidentally #1368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
3 tasks done
clippit opened this issue Jul 16, 2019 · 0 comments · Fixed by #1369
Closed
3 tasks done

An unmatched URL got routed accidentally #1368

clippit opened this issue Jul 16, 2019 · 0 comments · Fixed by #1369

Comments

@clippit
Copy link
Contributor

clippit commented Jul 16, 2019

Issue Description

In some circumstances, an URL which should be an 404 matches a router. See code below.
It's really a critical bug as if someone write a DELETE handler and a vulnerable request could delete data through the router!

Checklist

  • Dependencies installed
  • No typos
  • Searched existing issues and docs

Expected behaviour

http://localhost:1323/aaa => Hello from router 1!
http://localhost:1323/aaa/foo => Hello from router 2!
http://localhost:1323/aaa/bar => Hello from router 3!
http://localhost:1323/aaa/bbbbbb => Not Found

Actual behaviour

http://localhost:1323/aaa => Hello from router 1!
http://localhost:1323/aaa/foo => Hello from router 2!
http://localhost:1323/aaa/bar => Hello from router 3!
http://localhost:1323/aaa/bbbbbb => Hello from router 1! <--- wrong router!

Steps to reproduce

Define 4 routers as below, check the PoC code.

  • /:param1
  • /:param1/foo
  • /:param1/bar
  • /:param1/bar/:param2

Working code to debug

package main

import (
	"fmt"
	"net/http"

	"github.com/labstack/echo/v4"
	"github.com/labstack/echo/v4/middleware"
)

func main() {
	// Echo instance
	e := echo.New()

	// Middleware
	e.Use(middleware.Logger())
	e.Use(middleware.Recover())

	// Routes
	e.GET("/:param1", helloHandler(1))
	e.GET("/:param1/foo", helloHandler(2))
	e.GET("/:param1/bar", helloHandler(3))
	e.GET("/:param1/bar/:param2", helloHandler(4))

	// Start server
	e.Logger.Fatal(e.Start(":1323"))
}

// Handler
func helloHandler(id int) echo.HandlerFunc {
	return func(c echo.Context) error {
		return c.String(http.StatusOK, fmt.Sprintf("Hello from router %d!", id))
	}

}

Version/commit

4.1.6
@clippit clippit changed the title An unmatched URL got a router accidentally An unmatched URL got routed accidentally Jul 16, 2019
clippit added a commit to clippit/echo that referenced this issue Jul 16, 2019
@clippit
don't make router parse duplicated param when backtracing happens lab…
4568dc7 
…stack#1368
@clippit clippit mentioned this issue Jul 16, 2019
Merged
vishr pushed a commit that referenced this issue Jul 25, 2019
@clippit @vishr
don't make router parse duplicated param when backtracing happens #1368
8cabd1e 
… (#1369)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't make router parse duplicated param when backtracing happens clippit/echo
1 participant
@clippit