antonphp
(Anton)
September 11, 2022, 1:56pm
1
My friend and I were comparing Caddy to Nginx in terms of available vulnerabilities and exploits as reported at Vulmon.
Caddy:
https://www.vulmon.com/searchpage?q=caddy&sortby=byrelevance
It seems that the most recent one was just one minor version ago (2.5.2
is the current version as of creating this topic):
My topic here is to get some “official” policy, if I can say so, regarding such openly reported and discoverable reports. Just wanted to find out if they are on your radar and how much of the priority you give to those.
For reference, my friend refused to even try Caddy after comparing it to Nginx in that database - he said he’d prefer to wait till Caddy is more mature in terms of security and there are no recent vulnerabilities reported. This got me curious and hence the topic.
matt
(Matt Holt)
September 11, 2022, 5:27pm
2
That CVE is bogus and has been contested/rejected:
opened 06:30AM - 09 May 22 UTC
closed 05:09PM - 09 May 22 UTC
bug
It occurs in modules/caddyhttp/rewrite/rewrite.go.
Specifically,this bug locate… s in `func (rewr Rewrite) rewrite`
```go
func (rewr Rewrite) rewrite(r *http.Request, repl *caddy.Replacer, logger *zap.Logger) bool {
oldMethod := r.Method
oldURI := r.RequestURI
// method
if rewr.Method != "" {
r.Method = strings.ToUpper(repl.ReplaceAll(rewr.Method, ""))
}
// uri (path, query string and... fragment, because why not)
if uri := rewr.URI; uri != "" {
// find the bounds of each part of the URI that exist
pathStart, qsStart, fragStart := -1, -1, -1
pathEnd, qsEnd := -1, -1
for i, ch := range uri {
switch {
case ch == '?' && qsStart < 0:
pathEnd, qsStart = i, i+1
case ch == '#' && fragStart < 0:
qsEnd, fragStart = i, i+1
case pathStart < 0 && qsStart < 0 && fragStart < 0:
pathStart = i
}
}
if pathStart >= 0 && pathEnd < 0 {
pathEnd = len(uri)
}
if qsStart >= 0 && qsEnd < 0 {
qsEnd = len(uri)
}
// isolate the three main components of the URI
var path, query, frag string
if pathStart > -1 {
path = uri[pathStart:pathEnd]
}
if qsStart > -1 {
query = uri[qsStart:qsEnd]
}
if fragStart > -1 {
frag = uri[fragStart:]
}
...
```
In this function, it parse the `rewr.URI` and attemps to find the bounds of each part of the URI that exist.
However, this implementation is too simple to handle unexpected scenarios.
If '#' appears in front of the '?' in `rewr.URI`, it makes that `qsStart` is larger than `qsEnd`,
which leads to a crash like _'panic: runtime error: slice bounds out of range'_ in slice accessing at `query = uri[qsStart:qsEnd]`
I wish people would do more thorough research.
1 Like
antonphp
(Anton)
September 13, 2022, 4:36pm
3
Okay, makes sense. Nonetheless, the question stays unanswered.
antonphp:
My topic here is to get some “official” policy, if I can say so, regarding such openly reported and discoverable reports. Just wanted to find out if they are on your radar and how much of the priority you give to those.
matt
(Matt Holt)
September 13, 2022, 4:42pm
4
We give valid security reports the highest priority. Simpler and more severe vulnerabilities are patched first.
(You don’t hear about it much because there aren’t many of them.)
antonphp
(Anton)
September 13, 2022, 4:45pm
5
I see. Thank you for clarifying. I checked in the changelog and could not see detailed info about it, hence asking.
1 Like
system
(system)
Closed
October 11, 2022, 1:57pm
6
This topic was automatically closed after 30 days. New replies are no longer allowed.