500 Internal Server Error for URL Containing Null Byte (%00) #7008
Description
When testing the server, we expected a 400 Bad Request or 404 Not Found response for a request containing a null byte (%00), but instead received a 500 Internal Server Error.
Note: Since the issue appears to stem from the server's handling of malformed paths rather than any interaction with the filesystem itself, filesystem details have been omitted from this report.
Config:
{
debug
}
:8080 {
# Set this path to your site's directory.
root * ../html
# Enable the static file server.
file_server browse
}
Commands:
caddy run --config ./Caddyfile
curl -v http://localhost:8080/%00
Response:
* Host localhost:8080 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:8080...
* Connected to localhost (::1) port 8080
> GET /%00 HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 500 Internal Server Error
< Server: Caddy
< Date: Sat, 10 May 2025 05:26:29 GMT
< Content-Length: 0
<
* Connection #0 to host localhost left intact
*
Logs:
2025/05/10 05:24:55.612 INFO using provided configuration {"config_file": "./Caddyfile", "config_adapter": ""}
2025/05/10 05:24:55.617 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2025/05/10 05:24:55.618 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc00034e1c0"}
2025/05/10 05:24:55.619 INFO tls cleaning storage unit {"description": "FileStorage:/home/srinathsai22/.local/share/caddy"}
2025/05/10 05:24:55.619 DEBUG http starting server loop {"address": "[::]:8080", "tls": false, "http3": false}
2025/05/10 05:24:55.619 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/05/10 05:24:55.619 INFO tls finished cleaning storage units
2025/05/10 05:24:55.619 INFO autosaved config (load with --resume flag) {"file": "/home/srinathsai22/.config/caddy/autosave.json"}
2025/05/10 05:24:55.619 INFO serving initial configuration
2025/05/10 05:26:29.458 DEBUG http.handlers.file_server sanitized path join {"site_root": "../html", "request_path": "/\u0000", "result": "../html/\u0000"}
2025/05/10 05:26:29.458 ERROR http.log.error stat ../html/: invalid argument {"request": {"remote_ip": "::1", "remote_port": "50300", "proto": "HTTP/1.1", "method": "GET", "host": "localhost:8080", "uri": "/%00", "headers": {"User-Agent": ["curl/8.5.0"], "Accept": ["*/*"]}}, "duration": 0.000216907, "status": 500, "err_id": "70jip8jmt", "err_trace": "fileserver.(*FileServer).ServeHTTP (staticfiles.go:255)"}
Patch:
The error seems to stem from the file server attempting to resolve and stat() a path containing a null byte, which results in a system-level "invalid argument" error. Instead of propagating this to a 500 response, a more appropriate response might be to return a 400 Bad Request to indicate the malformed nature of the request path.