GHSA-4XRR-HQ4W-6VF4 Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections

Summary The path sanitization in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. Details The tryfiles directive is used to rewrite the request uri. It accepts a list of patterns and checks if any files exist in the root that match the...

Improper Neutralization of Equivalent Special Elements

Overview Affected versions of this package are vulnerable to Improper Neutralization of Equivalent Special Elements in matcher.go‎, when matching filenames using the tryfiles directive, which does not properly handle backslashes. An attacker can bypass security protections by exploiting glob...

Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections

Summary The path sanitization in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. Details The tryfiles directive is used to rewrite the request uri. It accepts a list of patterns and checks if any files exist in the root that match the...

Improper Neutralization of Equivalent Special Elements

Overview github.com/caddyserver/caddy/v2/modules/caddyhttp/fileserver is a fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS Affected versions of this package are vulnerable to Improper Neutralization of Equivalent Special Elements in matcher.go‎, when matching filenam...