CERBERUS/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-05-13 09:06:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

caddyhttp: Evaluate tls.client placeholders more accurately (fix #7530) (#7534)

Browse source
This commit is contained in:
Matt Holt 2026-02-28 22:03:18 -07:00 committed by GitHub
parent cd9e1660aa
commit 174fa2ddb9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

11
modules/caddyhttp/replacer.go
View file

@ -420,7 +420,16 @@ func getReqTLSReplacement(req *http.Request, key string) (any, bool) {
if strings.HasPrefix(field, "client.") {
cert := getTLSPeerCert(req.TLS)
if cert == nil {
return nil, false
// Instead of returning (nil, false) here, we set it to a dummy
// value to fix #7530. This way, even if there is no client cert,
// evaluating placeholders with ReplaceKnown() will still remove
// the placeholder, which would be expected. It is not expected
// for the placeholder to sometimes get removed based on whether
// the client presented a cert. We also do not return true here
// because we probably should remain accurate about whether a
// placeholder is, in fact, known or not.
// (This allocation may be slightly inefficient.)
cert = new(x509.Certificate)
}
// subject alternate names (SANs)