Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect regex in forRegex #233

Open
fizbin opened this issue Jul 20, 2022 · 0 comments
Open

Incorrect regex in forRegex #233

fizbin opened this issue Jul 20, 2022 · 0 comments
Labels
bug

Comments

@fizbin
Copy link

fizbin commented Jul 20, 2022

While auditing some internal code for a common mistake made in regex patterns, we discovered a vendored copy of this line:

handlers/proxy_headers.go

Line 25 in 3e03024

forRegex = regexp.MustCompile(`(?i)(?:for=)([^(;|,| )]+)`)

The line currently reads

	forRegex = regexp.MustCompile(`(?i)(?:for=)([^(;|,| )]+)`)

It was likely intended to read

	forRegex = regexp.MustCompile(`(?i)(?:for=)([^;, ]+)`)

however, even that is not correct according to rfc7239. If we wish to follow the RFC, then the forRegex should be defined as

	forRegex = regexp.MustCompile(`(?i)(?:for=)(?:([-!#$%&'*+.^`|~\w]+)|"((?:[\t \x21-\x27\x2A-\x5B\x5D-\x7E\x80-\xFF]|\\[\t -~\x80-\xFF])+)")`)

and in that case processing that uses forRegex will need to decide whether the first or second capture group matched and, in the case where the second capture group matched, do the appropriate replacement to remove backslashes.
@coreydaley coreydaley added the bug label Jul 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Gorilla Web Toolkit
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fizbin @coreydaley