-
Notifications
You must be signed in to change notification settings - Fork 691
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tokenizer change in 3.10 breaks many URLs #519
Comments
thank you for reporting this. The change was made because of a reported Security issue. I will have a close look at your example(s) |
I was able to reproduce the problem.
|
FYI: it isn’t just the openapi endpoint that stopped working. I just use that one as an example. It’s all of the endpoints. /users doesn’t work anymore, only /users/ etc. |
yes, i realise the impact is larger. thinking about rolling it back |
What was the security issue? Maybe I can help with finding a better solution. |
|
The feature flag mentioned there doesn’t seem to be implemented. How about a setting with three possible values:
That way everybody can choose for their application what their URL structure is. If you like this solution I’d be happy to help implement it, and adapt the swagger/openapi code to make sure its output matched the selected option. |
@emicklei is this supposed to be fixed? We're seeing changes in behavior in the PR that I linked ☝️ |
@lucacome , v3.10.1 is supposed to fix issues introduced with v3.10 which contained changes to fix the reported security issue. |
This was the security issue reported: #497 "There is an inconsistency between how golang(and other packages) and go-restful parses url path." |
Sorry I didn’t reply earlier. I’ve been swamped. I haven’t checked the latest code yet. I’ll look at it as soon as I can! |
@emicklei did you get a chance to look into it? |
@lucacome so, the package in its current state requires a different route to match |
I'm ok with any solution that can bring back the previous logic :) |
wrong, it uses old logic as default for now: https://github.com/emicklei/go-restful/pull/523/files#diff-4c596ebcfb13dbd1279de9b297b3d39701d7205967b37349577c276c06b68127R370 |
With version |
I am still seeing this as an issue, unless I am mis understanding the issue.
Looking at the example for "trimslash" above, both endpoints, |
nope, check this: in short, if we register a handler for the |
sorry, did not get your question, ignore my previous comment |
Just to help explain and utilize the 'trimslash' example i did this simple example...
Obviously, both endpoints are defined, but with different functions giving different responses. The If I comment out the Keeping with the tests and the default behavior, if I comment out the Last set of tests...default behavior with the I reran the same with |
I realize my paragraph style is a jumbled mess, so here is a "table" that hopefully helps with the different tests. For reference, the code should be the following... | endpoint called ---> | previous behavior <= 3.9 | endpoint called ---> | /hello | /hello/ | |
@KeithETruesdell thank you for your elaborate report. The TrimSlashStrategy was created to have the <= 3.9. behaviour. I will redo your tests and see what change I have missed since 3.9 |
found a (causal) difference in route.go # tokenizePath :167 3.9
3.10
need to investigate why |
hi to those involved, can you please comment on the current state. |
I propose to restore the behaviour of 3.9.0 w.r.t route matching and start a new v4 branch instead. |
* allow multiple samples for Write, issue #514 * update changelog * chore: example handling request parameters with httpin (#518) * use path package to join slash fragments #519 (#520) * update hist * update example openapi to use 3.10.1 * Add test for client request with and without trailing slash. (#522) * Add test for client request with and without trailing slash. * Correction. * introduce MergePathStrategy * Revert "introduce MergePathStrategy" This reverts commit 709cf80. * introduce MergePathStrategy for #521 #519 (#523) * introduce MergePathStrategy for #521 #519 * update readme, set default to new strategy, add extra test * link to security issue * update change hist * add hello world with TrimSlashStrategy * two route example * examples to show differences #519 * more route examples #519 * add examples for issue519 with path in root * remove obsolete swagger example * Update README.md remover swagger12 mention * allow multiple samples for Write, issue #514 --------- Co-authored-by: Ggicci <[email protected]> Co-authored-by: Gerrit <[email protected]>
fyi, I have started working on a new v4 branch |
working to get the routing spec clear first, see https://github.com/emicklei/go-restful/tree/v4#routing |
So the plan is to restore 3.9.0 behavior in the v3 branch, starting with 3.11 with the option to trim the suffix slash set to true. |
fixed in 3.11.0 |
I'm using https://github.com/emicklei/go-restful/tree/67c9f7e97871832a5773f8a7c66230c7e3322e20/examples/openapi as the test case.
This has the following content in
go.mod
:Running this:
And in a second window:
Upgraded to github.com/emicklei/go-restful/v3 v3.9.0:
Still good:
But with 3.10:
It fails:
Instead it suddenly requires a trailing slash:
This is a breaking change that I did not expect in a stable release… And besides, the URL became ugly :)
The text was updated successfully, but these errors were encountered: