Serving static files with %encoding

jiscfoo · January 18, 2024, 12:27pm

1. The problem I’m having:

I have a requirement to serve static files (using file_server) which contain special characters like / and : - for example https://example.com/pie. The implementation follows the SAML Metadata Query semantics (see: Metadata Query Protocol - InCommon Metadata Service Wiki - Internet2 Wiki)

This is currently working under Apache httpd by having files on the filesystem named using urlencoded versions (eg. https:%2F%2Fexample.com%2Fpie) and AllowEncodedSlashes NoDecode defined in the Apache config.

I’m trying to port this to Caddy v2 (using caddy:alpine docker container running v2.7.6) but I only get 404s when requesting the same URI as was being served successfully by Apache.

Both of these files exist on the filesystem:

# ls -il ./pub/mdq/entities/*example.com*
306692 -rw-r--r-- 4 root root 5 Jan 18 12:09 ./pub/mdq/entities/https%3A%2F%2Fexample.com%2Fpie
306692 -rw-r--r-- 4 root root 5 Jan 18 12:09 ./pub/mdq/entities/https%3a%2f%2fexample.com%2fpie
306692 -rw-r--r-- 4 root root 5 Jan 18 12:09 ./pub/mdq/entities/https:%2F%2Fexample.com%2Fpie
306692 -rw-r--r-- 4 root root 5 Jan 18 12:09 ./pub/mdq/entities/https:%2f%2fexample.com%2fpie

The debug output suggests that Caddy is urldecoding %2a into / and then expecting that to be in the filesystem path. What I need is to be able to pass through the %2a into the actual filename on disk.

2. Error messages and/or full log output:

$ curl -vs -H 'Host: example' http://hal.lan:8082/entities/https:%2f%2fexample.com%2fpie
*   Trying 192.168.37.22:8082...
* Connected to hal.lan (192.168.37.22) port 8082
> GET /entities/https:%2f%2fexample.com%2fpie HTTP/1.1
> Host: example
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Content-Type: application/samlmetadata+xml
< Server: Caddy
< Date: Thu, 18 Jan 2024 12:18:31 GMT
< Content-Length: 0
<
* Connection #0 to host hal.lan left intact

{"level":"info","ts":1705580627.7879965,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1705580627.8091376,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1705580627.8116891,"msg":"redirected default logger","from":"stderr","to":"stdout"}
{"level":"info","ts":1705580627.8151548,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"warn","ts":1705580627.8173888,"logger":"http.auto_https","msg":"automatic HTTPS is completely disabled for server","server_name":"srv0"}
{"level":"info","ts":1705580627.8174314,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0005a3200"}
{"level":"debug","ts":1705580627.8174934,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"srv0":{"listen":[":80"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"vars","root":"/pub/mdq"}]},{"handle":[{"handler":"headers","response":{"set":{"Content-Type":["application/samlmetadata+xml"]}}}],"match":[{"path":["/entities/*"]}]},{"handle":[{"canonical_uris":false,"handler":"file_server","hide":["/etc/caddy/Caddyfile"],"precompressed":{"gzip":{}},"precompressed_order":["gzip"]}]}]}],"terminal":true}],"automatic_https":{"disable":true},"logs":{"logger_names":{"example":"log0"}}}}}}
{"level":"debug","ts":1705580627.8233988,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"info","ts":1705580627.8235157,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1705580627.824527,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1705580627.8276577,"msg":"serving initial configuration"}
{"level":"warn","ts":1705580627.8347867,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"4979a702-4f27-4e4b-8742-69a09721d8b0","try_again":1705667027.8347764,"try_again_in":86399.999997861}
{"level":"info","ts":1705580627.8350356,"logger":"tls","msg":"finished cleaning storage units"}

{"level":"debug","ts":1705580634.837426,"logger":"http.handlers.file_server","msg":"sanitized path join","site_root":"/pub/mdq","request_path":"/entities/https://example.com/pie","result":"/pub/mdq/entities/https:/example.com/pie"}
{"level":"debug","ts":1705580634.8377106,"logger":"http.log.error.log0","msg":"{id=z8ax53q2w} fileserver.(*FileServer).notFound (staticfiles.go:629): HTTP 404","request":{"remote_ip":"192.168.37.221","remote_port":"53028","client_ip":"192.168.37.221","proto":"HTTP/1.1","method":"GET","host":"example","uri":"/entities/https:%2f%2fexample.com%2fpie","headers":{"Accept":["*/*"],"User-Agent":["curl/8.4.0"]}},"duration":0.000516803,"status":404,"err_id":"z8ax53q2w","err_trace":"fileserver.(*FileServer).notFound (staticfiles.go:629)"}
{"level":"error","ts":1705580634.8378222,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.37.221","remote_port":"53028","client_ip":"192.168.37.221","proto":"HTTP/1.1","method":"GET","host":"example","uri":"/entities/https:%2f%2fexample.com%2fpie","headers":{"User-Agent":["curl/8.4.0"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000516803,"size":0,"status":404,"resp_headers":{"Server":["Caddy"],"Content-Type":["application/samlmetadata+xml"]}}

3. Caddy version:

# docker compose exec mps caddy version
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

a. System environment:

Docker 24.0.7 running under Alpine Linux v3.19
caddy:alpine image reporting as v2.7.6

# uname -a
Linux hal 6.6.7-0-virt #1-Alpine SMP PREEMPT_DYNAMIC Thu, 14 Dec 2023 08:49:17 +0000 x86_64 GNU/Linux

b. Command:

docker compose up -d

c. Service/unit/compose file:

Docker Compose file

version: '3.6'
services:
  mps:
    image: caddy:alpine
    ports:
      - 8082:80
    volumes:
      - ./pub:/pub:ro
      - ./Caddyfile:/etc/caddy/Caddyfile:ro

d. My complete Caddy config:

{
        auto_https off
        log default {
                output stdout
        }
        debug
}

(common) {
        log {
                output stdout
        }

        file_server {
                precompressed gzip
                disable_canonical_uris
        }
}

example:80 {
        root * /pub/mdq
        header /entities/* Content-Type application/samlmetadata+xml

        import common
}

5. Links to relevant resources:

https://httpd.apache.org/docs/2.4/mod/core.html#allowencodedslashes

https://spaces.at.internet2.edu/display/MDQ/Metadata+Query+Protocol

Thanks!

jiscfoo · January 19, 2024, 2:19pm

From what I can see, file_server routes requests through staticfile.go’s ServeHTTP function. This does a bit of tidying then passes the request path through:

filename := strings.TrimSuffix(
    caddyhttp.SanitizedPathJoin(root, r.URL.Path),
    "/"
)

The function SanitizedPathJoin() which will be called (I can’t see any configuration item which would prevent it) tjem passes the r.URL.Path through path.Clean() which (again, with no tunables), does various things including:

Replace multiple Separator elements with a single one

From this I think that there is no way to persuade Caddy, as it currently stands, to serve up a file in the way I am after.

Would anyone be able to confirm my working?

francislavoie · January 19, 2024, 8:37pm

I think you need to make the URLs use %25 in place of % to “escape” the encoding. I don’t think there’s really any way around that.

Disabling path cleaning would open up a security vulnerability via path traversal. I don’t think it’s a good idea to allow that to be configurable.

jiscfoo · January 22, 2024, 9:29am

Thanks for replying… unfortunately I don’t think it’s something I can influence as the request format is part of the (draft) MDQ specification (draft-young-md-query-20 - Metadata Query Protocol) which, in §3.2.1, says:

3.2.1.  Request by Identifier

   A metadata query request for all entities tagged with a particular
   identifier is performed by issuing an HTTP GET request to a URL
   constructed as the concatenation of the following components:

   *  The responder's base URL.

   *  The string "entities/".

   *  A single identifier, percent-encoded appropriately for use as a
      URL path segment (see sections 2.1 and 3.3 of [STD66]).

   For example, with a base URL of http://example.org/mdq/, a query for
   the identifier foo would be performed by an HTTP GET request to the
   following URL:

   http://example.org/mdq/entities/foo

   Correct encoding of the identifier as a URL path segment is critical
   for interoperability.  In particular:

      The character '/' MUST be percent-encoded.

      The space character MUST be encoded as '%20' and MUST NOT be
      encoded as '+' as would be required in a query parameter.

   For example, with a base URL of http://example.org/mdq/, a query for
   the identifier "blue/green+light blue" would be performed by an HTTP
   GET request to the following URL:

   http://example.org/mdq/entities/blue%2Fgreen+light%20blue

I understand the keep the path sanitisation strict, but wonder if it’s practical to have an option to disable the decoding for a specific subpath (request matcher?) or path element.

In the case of the example, it would be something like:

handle /entities/* {
    uri no_urldecode
}

matt · January 23, 2024, 6:01pm

In reading that I’m not sure what verbiage suggests that % can’t be encoded as %25 though.

jiscfoo · February 7, 2024, 8:51am

I’m sorry I’m not sure what you mean.

I’m not saying that %2F can’t be encoded as %252F, however existing MDQ clients (those that I’m trying to support) currently make requests that don’t do this.

That being said, if there was some sort of preprocessor within caddy that would do that rewrite (%2F := %252F) before the normal processing then I could try that…

Mohammed90 · February 7, 2024, 9:03am

As of Caddy v2.6.0, you can match against % as-is. See the path matcher docs here:

Specifically, note this section:

Because there are multiple escaped forms of any given URI, the request path is normalized (URL-decoded, unescaped) except for those escape sequences at positions where escape sequences are also present in the match pattern. For example, /foo/bar matches both /foo/bar and /foo%2Fbar, but /foo%2Fbar will match only /foo%2Fbar, because the escape sequence is explicitly given in the configuration.

The special wildcard escape %* can also be used instead of * to leave its matching span escaped. For example, /bands/*/* will not match /bands/AC%2FDC/T.N.T because the path will be compared in normalized space where it looks like /bands/AC/DC/T.N.T, which does not match the pattern; however, /bands/%*/* will match /bands/AC%2FDC/T.N.T because the span represented by %* will be compared without decoding escape sequences.

I believe you can use the path matcher per the documented criteria, then do a rewrite to the escaped pattern to allow the file-server to function per normal.

You probably will find the PR (of the smart matching feature) description and the release notes helpful to wrap your head around it.

(search for Smarter path matching and rewriting)

github.com/caddyserver/caddy

caddyhttp: Smarter path matching and rewriting

caddyserver:master ← caddyserver:path-escaping

opened 05:56AM - 10 Aug 22 UTC

mholt

+614 -112

This branch resolves several inconsistencies across Caddy's HTTP facilities rega…rding URI encodings in paths. I am not entirely sure, but I suppose breaking changes might be possible if users relied on buggy behavior that has only just been determined and is being remedied here. This PR mainly affects the `path` matcher and the `rewrite` middleware (including both the `rewrite` and `uri` Caddyfile directives). These are extremely commonly-used Caddy features. ## Background URIs (essentially the part of the URL after the scheme and authority/host, e.g. `/foo/bar?a=b#frag` -- though servers don't really deal with `#fragment` components) are famous for being inconsistently encoded and parsed. Differences in parsing/handling between servers, proxies, and applications often lead to bugs and security vulnerabilities. For example, a path of `//foo/bar` might be considered equivalent to `/foo/bar` by one piece of infrastructure, and different to another. Similarly, `/foo%2Fbar` might or might not be the same as `/foo/bar`. To a router, they could be different. To an application, they could be the same. A web server like Caddy is between a rock and a hard place, because it finds itself between untrusted clients who send all manner of inconsistent requests, and other servers or applications who expect the request URI to be _just right_. Caddy is often expected to route requests of all varieties and rewrite/transform them into something the backend application (even if that's just the built-in static file server) can use without confusion. The problem is the requirements and expectations vary widely! Caddy has had several issues over the years where some users expect a URI like `/foo%2Fbar` to be transformed into `/foo/bar` before being proxied. Some want `/foo/bar` to match `/foo%2Fbar`, while others don't. Some want a matcher like `/secret/*` to match URIs like `//secret/*` or `/secret//*` because they put it behind authentication, and if it doesn't match, auth could be bypassed! Windows treats `/file.php . ..` the same as `/file.php` -- even though they technically have different suffixes and file extensions, [causing routing blunders](https://github.com/caddyserver/caddy/pull/2917). Then imagine a path prefix like `/bands/*/*/` that should match `/bands/Pink/Try/` as well as `/bands/AC%2FDC/T.N.T` -- but if the path matcher normalizes (decodes) URIs before matching, the first URI would work but the second would become `/bands/AC/DC/T.N.T` which doesn't match the pattern anymore. To make matters worse, any given URI has multiple valid encoded forms. `%2F%66%6F%6F%2F%62%61%72` can be decoded to `/foo/bar` just as well as `/foo%2Fbar` can, and everything in between can, too. If routers matched on non-normalized URIs, there would be plenty more security bugs to deal with: a pattern of `/foo/*`, which is expected to be authenticated, would no longer match `/foo%2Fbar` even though they are, according to ratified RFCs, _equivalent_. In other words, encodings are significant to applications, but normalizing URIs to a consistent form is critical for maintaining security. Let me restate here [what I wrote for the Laravel community](https://github.com/laravel/framework/issues/22125#issuecomment-1208810581) when I started working on this (with minor changes to make sense out of context): --- RFC 9110, "HTTP Semantics," has a section on HTTP URI normalization, [which says](https://www.rfc-editor.org/rfc/rfc9110.html#name-https-normalization-and-com): > Two HTTP URIs that are equivalent after normalization (using any method) can be assumed to identify the same resource, and any HTTP component MAY perform normalization. As a result, distinct resources SHOULD NOT be identified by HTTP URIs that are equivalent after normalization. In other words, `/foo%2Fbar` and `/foo/bar` are equivalent after normalizing, and thus they _SHOULD NOT_ be used for distinct resources. So if you are encoding application data into the path, and that data could possibly have reserved characters / delimiters (like `/`), consider redesigning your API: it is not robust in the harsh HTTP environment. Note that several RFCs, notably RFCs 3986 and 9110, continually repeat that URI parsing is dependent upon scheme. That's one other problem: we all use the `http://` or `https://` scheme and yet expect applications to handle URIs differently. So of course there's going to be head-butting: we're fighting the design. To clarify, it is definitely possible for a URI path such as `/band/AC%2fDC/T.N.T` to be "properly" handled by a server application. For this case, simply write a server that decodes everything after `/band/` except `%2f`. :man_shrugging: The problem is that this is difficult _in general_. Depending on what situations you do this, you may be opening yourself to bugs and security holes. This is why Caddy currently handles URIs solely in the unescaped space: it's the "one true" representation of a URI, and normalized HTTP URIs are more or less clearly defined nowadays. Others might propose a solution to double-encode application data in the path; in other words, have the client send a URI with a path of `/bands/AC%252fDC/T.N.T`. This will probably work, but it's a hack and it [violates spec](https://www.rfc-editor.org/rfc/rfc3986#section-2.4): > Implementations **must not** percent-encode or decode the same string more than once, as decoding an already decoded string might lead to misinterpreting a percent data octet as the beginning of a percent-encoding, or vice versa in the case of percent-encoding an already percent-encoded string. Beware of the non-conforming behavior and highlight it very prominently in documentation so you can avoid bugs. Laravel user @alcaitiff made a comment that some of you may be thinking: > The router should resolve the route and after that decode parameters, but it does decode the url parameters before resolving the route. I can't speak for Laravel or what it's doing, but the Go standard library (what Caddy uses), for example, **does** do URL parsing correctly and still has this problem. Go does exactly what you and the spec recommend: it splits the URI into its components and _then_ decodes reserved characters after parsing. It preserves the original, "raw" path in the `RawPath` field and offers the decoded path in the `Path` field. Its [`EscapedPath()`](https://pkg.go.dev/net/url#URL.EscapedPath) method uses `RawPath` _if it is a valid encoding of `Path`_, which is interesting because any given path has multiple valid encodings as I noted above. So if I want to truly "normalize" the URI in Go, I have to call `url.PathEscape(req.URL.Path)` myself and ignore `RawPath` entirely (AFAIK). And guess what, this converts `/foo/bar` to... `/foo/bar`. In other words, decoding `/foo%2Fbar` is not reversible without loss of precision. (Unless the HTTP server knows your business logic, more on that in a moment.) We can write our own logic, though, that uses `RawPath` as a "hint" (as the Go docs say) to maybe replace `/` with `%2f`, but if we've manipulated/rewritten the URI at all, this becomes infeasible because we don't know where or if that instance still exists in the string. [RFC 3986 section 2](https://www.rfc-editor.org/rfc/rfc3986#section-2.2) states: > URI producing applications should percent-encode data octets that > correspond to characters in the reserved set unless these characters > are specifically allowed by the URI scheme to represent data in that > component. If a reserved character is found in a URI component and > no delimiting role is known for that character, then it must be > interpreted as representing the data octet corresponding to that > character's encoding in US-ASCII. The `/` is in the reserved set. Thus it is up to the implementation to determine whether it is data or a delimiter. I guess Laravel doesn't know, and it's frankly safer to assume it's a delimiter and treat it in its normalized form. So yes, this issue is frustrating. As a web server author, I feel like I need to write software that can read people's minds: is this slash data or is it a delimiter? The router needs more information, because both are very valid ways of interpreting a URI! --- ## The solution I think the key to this problem is trying to read the developer's mind: is this character supposed to be a delimiter (part of the path) or data? Should we collapse repeated slashes or no? The answers depend on the context. For routing / path matching, the answer may be one way, for rewriting it may be another, and for proxying it may be yet another depending on the applications being proxied to. Nginx, Apache, and Caddy all merge slashes by default when matching. However, Nginx and Apache have options to disable that behavior and preserve the slashes, which can lead to security vulnerabilities. All three do path matching (or routing) in the normalized space to mitigate bugs but, like we saw with Laravel, makes it difficult or impossible to route requests with application data that decode as path-significant characters like `%2F` (`/`), leaving many developers frustrated. This PR introduces a somewhat novel solution that allows the developer to convey their intent to the server when doing matching and rewriting. **Simply put, our solution is to interpret encoded characters and multiple slashes in the configuration as a literal conveyance of the developer's intent.** In other words, we don't blanket-unescape the whole URI every time. We do it byte-for-byte in lock-step with the configured pattern to match, and only unescape if the match pattern is not escaped at that position. Similarly, if a configured path has double slashes `//` in it, we do not merge slashes when comparing paths, because we infer the user's intent is to match repeated slashes. ### Path matching Path matching (aka routing) is still done in the normalized space. That means if you configure a path matcher of `/foo/bar`, it will match `/foo/bar`, `/foo%2Fbar` and even `%2F%66%6F%6F%2F%62%61%72` because we normalize the URI. This is unchanged from before. But now if you have a path matcher of `/foo%2Fbar`, it will match `/foo%2Fbar` exactly (the escape sequence is case-insensitive), whereas previously it would have only matched `/foo%252Fbar` (i.e. `%` as data). Now, `/foo%2Fbar` will NOT match `/foo/bar` or `%2Ffoo/bar` because we infer intent from seeing escape sequences in the match pattern as application data, not path delimiters. **This logic handily extends to wildcards, too.** Referring to the previous example from our Laravel discussion, if you want to use `/bands/*/*` it is impossible to match a URI of `/bands/AC%2fDC/T.N.T` (in Laravel, too). But with this change, you can use special "escape-wildcard" characters: `/bands/%*/%*` to indicate that the span matched by the wildcard should _not_ be URI-decoded and should be kept in the escaped/raw space. So now, if you want to allow band names to have a `/` in them, you can simply write `/bands/%*/%*`. ### Double slashes Similar to escape sequences, we now disable slash merging automatically if the configured pattern has repeated slashes. Previously, it was impossible to match `//foo` because all URIs were normalized. Now, a path matcher of `//foo` will preserve multiple slashes. (A matcher of `/foo` will still match `//foo`.) ### Rewriting A common task of rewriting is to strip path prefix and path suffix. The logic explained above has also been implemented for these operations, allowing you to use escaped characters and multiple slashes in your prefix and suffix patterns, and now Caddy will rewrite more intuitively and correctly. For example, if you want to strip a prefix of `//prefix` from `//prefix/foo`, it will work, whereas before it wouldn't find the prefix because it would look at a fully-normalized URI. Similarly, you can strip prefixes or suffixes with encoded characters. For example, a prefix of `/foo%2Fbar` will rewrite a URI of `/foo%2Fbar/asdf` into `/asdf`, whereas before it wouldn't find the prefix. ## Is it perfect? Probably not. Are there bugs? Probably. Have I overlooked things? Almost certainly yes. I'm pretty sure there might be nooks and crannies within Caddy that I missed implementing this. Please file a bug report if you need it to work but doesn't work like you expect. I'm pretty happy with this approach though. I think it's very useful and I don't know of other mainstream servers or frameworks that implement this behavior. In true Caddy fashion, this should _just work_. - fixes #4801 - fixes #4923 - fixes #4743

francislavoie · February 7, 2024, 9:22am

Yeah maybe you can do this:

uri replace %2F %252F

The problem is this is case sensitive I think, so if %2f appears in the request then it wouldn’t get replaced.

You could do both probably, I think it should be safe? Maybe?

Edit: For my own sanity, I added a couple test cases to make sure path joining behaves the way we think it does for %252F caddyhttp: Test cases for `%2F` and `%252F` by francislavoie · Pull Request #6084 · caddyserver/caddy · GitHub

matt · February 7, 2024, 2:53pm

Just noting that this seems like a bug in the clients. It’s an improper encoding of the URL if it’s not using %252F for this purpose.

I think the workaround described by Francis works, but it is likely not secure/correct generally speaking.

jiscfoo · February 19, 2024, 1:14pm

@matt do you have a RFC reference for that non-compliance assertion?

This bit of config appears to do the right thing:

example:80 {
    ...
    uri /entities/* replace %2F %252F
    uri /entities/* replace %2f %252F
    uri /entities/* replace %3a %253A
    root * /pub/mdq
}

matt · February 19, 2024, 5:27pm

It’s not a matter of spec, IMO it’s just logical:

%252F decodes to %2F which is what you want to access on disk. Using %2F decodes to a literal / which is NOT true to the filenames on disk.

system · March 20, 2024, 5:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.