diff options
| author | Jakob Borg <jakob@kastelo.net> | 2023-10-07 04:09:07 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-10-07 04:09:07 +0200 |
| commit | 690b55360f64cc4bdb86dad51bb87581a4400937 (patch) | |
| tree | ce490f04d125f1f7474c43732d803154cacfc506 /cmd | |
| parent | 2f6187dc0e0b4eab87c199cd2b6fe1521d912bb5 (diff) | |
| download | syncthing-690b55360f64cc4bdb86dad51bb87581a4400937.tar.gz syncthing-690b55360f64cc4bdb86dad51bb87581a4400937.zip | |
cmd/stdiscosrv: Handle unescaped cert header from Traefik (fixes #9143) (#9153)
Diffstat (limited to 'cmd')
| -rw-r--r-- | cmd/stdiscosrv/apisrv.go | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/cmd/stdiscosrv/apisrv.go b/cmd/stdiscosrv/apisrv.go index 0f39f5d1f..87266870a 100644 --- a/cmd/stdiscosrv/apisrv.go +++ b/cmd/stdiscosrv/apisrv.go @@ -354,13 +354,14 @@ func certificateBytes(req *http.Request) ([]byte, error) { bs = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: hdr}) } else if hdr := req.Header.Get("X-Forwarded-Tls-Client-Cert"); hdr != "" { // Traefik 2 passtlsclientcert - // The certificate is in PEM format with url encoding but without newlines - // and start/end statements. We need to decode, reinstate the newlines every 64 + // + // The certificate is in PEM format, maybe with URL encoding + // (depends on Traefik version) but without newlines and start/end + // statements. We need to decode, reinstate the newlines every 64 // character and add statements for the PEM decoder - hdr, err := url.QueryUnescape(hdr) - if err != nil { - // Decoding failed - return nil, err + + if unesc, err := url.QueryUnescape(hdr); err == nil { + hdr = unesc } for i := 64; i < len(hdr); i += 65 { @@ -368,7 +369,7 @@ func certificateBytes(req *http.Request) ([]byte, error) { } hdr = "-----BEGIN CERTIFICATE-----\n" + hdr - hdr = hdr + "\n-----END CERTIFICATE-----\n" + hdr += "\n-----END CERTIFICATE-----\n" bs = []byte(hdr) } |