net/http: StripPrefix does not always strip in a valid way

[zepatrik]

Go version

go version go1.26.0 darwin/arm64

Output of go env in your module/workspace:

stdlib implementation bug, unrelated to env

What did you do?

Simply using the http.StripPrefix helper to strip a known prefix.

What did you see happen?

1. When the request path is exactly the prefix, the req.URL.Path is set to the empty string instead of /. This can break downstream handlers, as they can reasonably expect the path to not be empty per RFC 7230 §5.3.1
   See also net/http: ServeFile panics when StripPrefix over-strips and results in empty path #30165, which is basically running into this as well.
2. When the prefix is URL encoded, this incorrectly results in a 404 response because the RawPath cannot be simply stripped with strings.TrimPrefix. Example: prefix = "/prefix", request path = "/pr%65fix/somepath", expected handler path = "/somepath", actual response = "404 page not found"

What did you expect to see?

For problem 1, I'd expect / as the path.

For Problem 2, I'd expect the prefix to be correctly stripped from the RawPath as well as the Path. There should not be a 404 response in case the requested path contains escape sequences in the prefix part.
I'd also expect the semantics of RawPath to be preserved, i.e. it should only be set if Path cannot be unambiguously encoded. Therefore, a request which has any encoded characters only in the prefix part, should not have RawPath set after it was handled by http.StripPrefix.

[gabyhelp]

Related Issues

• net/http: StripPrefix does not preserve url path #24366 (closed)
• net/http: StripPrefix regression from fix for #30165 #31622 (closed)
• net/http: ServeMux uses URL.Path instead of URL.EscapedPath(), leading it to treat %2F as a path separator #14815 (closed)
• net/http: Redirect changes empty path segments and percent encoding for %2F #76313 (closed)
• net/http: `http.StripPrefix` causing incorrect `Location` header and HTML page in 301 response #69485 (closed)
• net/http/httputil: SingleHostReverseProxy escaped paths are decoded #35908 (closed)
• net/http/httputil: ReverseProxy appends trailing slash to url with empty path #50337 (closed)
• http.StripPrefix not properly handling wildcards with muxes #66510 (closed)
• net/http: ServeMux patterns eliminate semantically-significant encoding differences #75019 (closed)

Related Discussions

• Strange redirect behavior with http.StripPrefix

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[seankhliao]

see the decision in #64909 (comment)
The intention is only to do string processing, not path processing.

[zepatrik]

The intention is only to do string processing, not path processing.

I get that, and that is exactly what I'm talking about. I'm not talking about path parameters here, but just the general usability of StripPrefix.

The one issue is that it makes it impossible to properly compose handlers when the path is empty. I guess composing handlers is the main reason for StripPrefix in the first place. A good example is the issue described in #30165 where the handler expects the path to never be "" and panics if it is, which is reasonable as per RFC 7230 §5.3.1. I encountered this exact issue with a custom handler that I was implementing.

The other issue is that URI-encoded paths are not being handled properly because the RawPath prefix is not string-equal to the stripped prefix. This means that encoded paths will always be rejected with an improper error message, even if a custom not found handler is used.
See this example which follows the example form the http.ServeMux documentation.

For matching, both pattern paths and incoming request paths are unescaped segment by segment. So, for example, the path "/a%2Fb/100%25" is treated as having two segments, "a/b" and "100%". The pattern "/a%2fb/" matches it, but the pattern "/a/b/" does not.

func TestEncodedPrefix(t *testing.T) {
	mux := http.NewServeMux()
	mux.Handle("/a%2fb/", http.StripPrefix("/a%2fb", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		_, _ = w.Write([]byte("Hello World"))
	})))
	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
		_, _ = w.Write([]byte("fallback handler"))
	}))
	ts := httptest.NewServer(mux)
	t.Cleanup(ts.Close)

	res, err := http.Get(ts.URL + "/a%2fb/100%25")
	if err != nil {
		t.Fatal(err)
	}
	body, err := io.ReadAll(res.Body)
	if err != nil {
		t.Fatal(err)
	}
	if string(body) != "Hello World" {
		t.Errorf("Unexpected body: %s", body)
	}
}

outputs

=== RUN   TestEncodedPrefix
    example_test.go:490: Unexpected body: 404 page not found
--- FAIL: TestEncodedPrefix (0.00s)

[mwriter]

@zepatrik

Yep, I have also encountered problems of this kind. As a result, I wrote a wrapper over http.StripPrefix, path.Clean etc, to get a fully managed code.