forked from Mxmilu666/frp
fix(redirect): improve security in HTTP to HTTPS redirection
This commit is contained in:
@@ -51,7 +51,9 @@ func NewHTTP2HTTPSRedirectPlugin(_ PluginContext, options v1.ClientPluginOptions
|
||||
|
||||
p.s = &http.Server{
|
||||
Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
|
||||
http.Redirect(w, req, buildHTTPSRedirectURL(req, opts.HTTPSPort), http.StatusFound)
|
||||
// Not an open redirect: the target scheme is fixed to https and the
|
||||
// host is the one the client already connected to.
|
||||
http.Redirect(w, req, buildHTTPSRedirectURL(req, opts.HTTPSPort), http.StatusFound) //nolint:gosec // G710
|
||||
}),
|
||||
ReadHeaderTimeout: 60 * time.Second,
|
||||
}
|
||||
|
||||
@@ -70,7 +70,7 @@ func (w *logCapture) String() string {
|
||||
// levels parses the captured JSON log output and returns the level of each entry.
|
||||
func (w *logCapture) levels() []charmlog.Level {
|
||||
var levels []charmlog.Level
|
||||
for _, line := range strings.Split(strings.TrimSpace(w.String()), "\n") {
|
||||
for line := range strings.SplitSeq(strings.TrimSpace(w.String()), "\n") {
|
||||
if line == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
@@ -164,9 +164,8 @@ func (w *RotateFileWriter) cleanupOldLogs(now time.Time) {
|
||||
}
|
||||
|
||||
name := f.Name()
|
||||
if strings.HasPrefix(name, base+".") {
|
||||
// Extract date from filename (base.YYYY-MM-DD)
|
||||
dateStr := strings.TrimPrefix(name, base+".")
|
||||
if dateStr, ok := strings.CutPrefix(name, base+"."); ok {
|
||||
if len(dateStr) == 10 {
|
||||
fileDate, err := time.Parse("2006-01-02", dateStr)
|
||||
if err == nil && fileDate.Before(cutoffDate) {
|
||||
|
||||
@@ -15,7 +15,9 @@
|
||||
package vhost
|
||||
|
||||
import (
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strconv"
|
||||
"sync"
|
||||
|
||||
@@ -73,11 +75,19 @@ func (r *HTTPSRedirector) Redirect(rw http.ResponseWriter, req *http.Request) bo
|
||||
return false
|
||||
}
|
||||
|
||||
target := "https://" + host
|
||||
if r.port != 443 {
|
||||
target += ":" + strconv.Itoa(r.port)
|
||||
target := url.URL{
|
||||
Scheme: "https",
|
||||
Host: host,
|
||||
Path: req.URL.Path,
|
||||
RawPath: req.URL.RawPath,
|
||||
RawQuery: req.URL.RawQuery,
|
||||
}
|
||||
target += req.URL.RequestURI()
|
||||
http.Redirect(rw, req, target, http.StatusMovedPermanently)
|
||||
if r.port != 443 {
|
||||
target.Host = net.JoinHostPort(host, strconv.Itoa(r.port))
|
||||
}
|
||||
// Not an open redirect: the host is validated against the registered
|
||||
// domain set above, the scheme is fixed, and only the same-host path and
|
||||
// query are echoed back.
|
||||
http.Redirect(rw, req, target.String(), http.StatusMovedPermanently) //nolint:gosec // G710
|
||||
return true
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user