Don't use ServerMux due to URI normalization: we do it our own way

helpers.go

@@ -12,6 +12,7 @@ import (
 	"os"
 	"os/exec"
 	"syscall"
+	"path"
 )
 
 func fail500(w http.ResponseWriter, err error) {
@@ -23,6 +24,13 @@ func logError(err error) {
 	log.Printf("error: %v", err)
 }
 
+func httpError(w http.ResponseWriter, r *http.Request, error string, code int) {
+	if r.ProtoAtLeast(1, 1) {
+		w.Header().Set("Connection", "close")
+	}
+	http.Error(w, error, code)
+}
+
 // Git subprocess helpers
 func gitCommand(gl_id string, name string, args ...string) *exec.Cmd {
 	cmd := exec.Command(name, args...)
@@ -90,3 +98,21 @@ func openFile(path string) (file *os.File, fi os.FileInfo, err error) {
 
 	return
 }
+
+// Borrowed from: net/http/server.go
+// Return the canonical path for p, eliminating . and .. elements.
+func cleanURIPath(p string) string {
+	if p == "" {
+		return "/"
+	}
+	if p[0] != '/' {
+		p = "/" + p
+	}
+	np := path.Clean(p)
+	// path.Clean removes trailing slash except for root;
+	// put the trailing slash back if necessary.
+	if p[len(p)-1] == '/' && np != "/" {
+		np += "/"
+	}
+	return np
+}

main.go

@@ -171,10 +171,5 @@ func main() {
 
 	upstream := newUpstream(*authBackend, proxyTransport)
 	upstream.SetRelativeURLRoot(*relativeURLRoot)
-
-	// Because net/http/pprof installs itself in the DefaultServeMux
-	// we create a fresh one for the Git server.
-	serveMux := http.NewServeMux()
-	serveMux.Handle(upstream.relativeURLRoot, upstream)
-	log.Fatal(http.Serve(listener, serveMux))
+	log.Fatal(http.Serve(listener, upstream))
 }

upstream.go

@@ -12,6 +12,7 @@ import (
 	"net/http/httputil"
 	"net/url"
 	"strings"
+	"fmt"
 )
 
 type serviceHandleFunc func(w http.ResponseWriter, r *gitRequest)
@@ -92,10 +93,29 @@ func (u *upstream) ServeHTTP(ow http.ResponseWriter, r *http.Request) {
 	w := newLoggingResponseWriter(ow)
 	defer w.Log(r)
 
+	// Drop WebSocket connection and CONNECT method
+	if r.RequestURI == "*" {
+		httpError(&w, r, "Connection upgrade not allowed", http.StatusBadRequest)
+		return
+	}
+
+	// Disallow connect
+	if r.Method == "CONNECT" {
+		httpError(&w, r, "CONNECT not allowed", http.StatusBadRequest)
+		return
+	}
+
+	// Check URL Root
+	URIPath := cleanURIPath(r.URL.Path)
+	if !strings.HasPrefix(URIPath, u.relativeURLRoot) {
+		httpError(&w, r, fmt.Sprintf("Not found %q", URIPath), http.StatusNotFound)
+		return
+	}
+
 	// Strip prefix and add "/"
 	// To match against non-relative URL
 	// Making it simpler for our matcher
-	relativeURIPath := "/" + strings.TrimPrefix(r.URL.Path, u.relativeURLRoot)
+	relativeURIPath := cleanURIPath(strings.TrimPrefix(URIPath, u.relativeURLRoot))
 
 	// Look for a matching Git service
 	foundService := false
@@ -112,7 +132,7 @@ func (u *upstream) ServeHTTP(ow http.ResponseWriter, r *http.Request) {
 	if !foundService {
 		// The protocol spec in git/Documentation/technical/http-protocol.txt
 		// says we must return 403 if no matching service is found.
-		http.Error(&w, "Forbidden", 403)
+		httpError(&w, r, "Forbidden", http.StatusForbidden)
 		return
 	}