http: use Query.Get instead of FormValue, allows POST through

docker: Remove outdated DNSBL argument
2025-04-23 21:30:39 +02:00 · 2025-04-23 21:15:56 +02:00
3 changed files with 10 additions and 9 deletions
--- a/2
+++ b/2
@@ -47,7 +47,6 @@ ENV GOAWAY_CLIENT_IP_HEADER=""
 ENV GOAWAY_BACKEND_IP_HEADER=""
 ENV GOAWAY_JWT_PRIVATE_KEY_SEED=""
 ENV GOAWAY_BACKEND=""
-ENV GOAWAY_DNSBL="dnsbl.dronebl.org"
 ENV GOAWAY_ACME_AUTOCERT=""
 ENV GOAWAY_CACHE="/cache"

@@ -60,7 +59,6 @@ ENTRYPOINT  /bin/go-away --bind "${GOAWAY_BIND}" --bind-network "${GOAWAY_BIND_N
            --policy "${GOAWAY_POLICY}" --policy-snippets "${GOAWAY_POLICY_SNIPPETS}" \
            --client-ip-header "${GOAWAY_CLIENT_IP_HEADER}" --backend-ip-header "${GOAWAY_BACKEND_IP_HEADER}" \
            --cache "${GOAWAY_CACHE}" \
-            --dnsbl "${GOAWAY_DNSBL}" \
            --challenge-template "${GOAWAY_CHALLENGE_TEMPLATE}" --challenge-template-theme "${GOAWAY_CHALLENGE_TEMPLATE_THEME}" \
            --slog-level "${GOAWAY_SLOG_LEVEL}" \
            --acme-autocert "${GOAWAY_ACME_AUTOCERT}" \
--- a/lib/challenge/helper.go
+++ b/lib/challenge/helper.go
@@ -39,11 +39,13 @@ const VerifyChallengeUrlSuffix = "/verify-challenge"

 func GetVerifyInformation(r *http.Request, reg *Registration) (requestId RequestId, redirect, token string, err error) {

-	if r.FormValue(QueryArgChallenge) != reg.Name {
-		return RequestId{}, "", "", fmt.Errorf("unexpected challenge: got %s", r.FormValue(QueryArgChallenge))
+	q := r.URL.Query()
+
+	if q.Get(QueryArgChallenge) != reg.Name {
+		return RequestId{}, "", "", fmt.Errorf("unexpected challenge: got %s", q.Get(QueryArgChallenge))
 	}

-	requestIdHex := r.FormValue(QueryArgRequestId)
+	requestIdHex := q.Get(QueryArgRequestId)

 	if len(requestId) != hex.DecodedLen(len(requestIdHex)) {
 		return RequestId{}, "", "", errors.New("invalid request id")
@@ -55,8 +57,8 @@ func GetVerifyInformation(r *http.Request, reg *Registration) (requestId Request
 		return RequestId{}, "", "", errors.New("invalid request id")
 	}

-	token = r.FormValue(QueryArgToken)
-	redirect, err = utils.EnsureNoOpenRedirect(r.FormValue(QueryArgRedirect))
+	token = q.Get(QueryArgToken)
+	redirect, err = utils.EnsureNoOpenRedirect(q.Get(QueryArgRedirect))
 	if err != nil {
 		return RequestId{}, "", "", err
 	}
--- a/lib/http.go
+++ b/lib/http.go
@@ -96,11 +96,12 @@ func (state *State) handleRequest(w http.ResponseWriter, r *http.Request) {
 		if fromChallenge {
 			r.Header.Del("Referer")
 		}
-		if ref := r.FormValue(challenge.QueryArgReferer); ref != "" {
+		q := r.URL.Query()
+
+		if ref := q.Get(challenge.QueryArgReferer); ref != "" {
 			r.Header.Set("Referer", ref)
 		}

-		q := r.URL.Query()
 		// delete query parameters that were set by go-away
 		for k := range q {
 			if strings.HasPrefix(k, challenge.QueryArgPrefix) {
Author	SHA1	Message	Date
WeebDataHoarder	cef915b353	http: use Query.Get instead of FormValue, allows POST through	2025-04-23 21:30:39 +02:00
WeebDataHoarder	10ceca02c9	docker: Remove outdated DNSBL argument	2025-04-23 21:15:56 +02:00