Skip to content

[workers-shared] fix: Normalize backslash characters in /cdn-cgi paths#12752

Merged
WillTaylorDev merged 1 commit intomainfrom
willtaylor/security-cdn-cgi
Mar 4, 2026
Merged

[workers-shared] fix: Normalize backslash characters in /cdn-cgi paths#12752
WillTaylorDev merged 1 commit intomainfrom
willtaylor/security-cdn-cgi

Conversation

@WillTaylorDev
Copy link
Contributor

@WillTaylorDev WillTaylorDev commented Mar 4, 2026
edited by devin-ai-integration bot
Loading

Redirect requests containing backslash characters in /cdn-cgi paths to their normalized equivalents. Some browsers and HTTP clients treat backslashes as path separators inconsistently, which could lead to unexpected routing behavior.

This change normalizes the URL and issues a 307 redirect to ensure consistent handling across all clients.

Fixes #WC-4546

  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: N/A

A picture of a cute animal (not mandatory, but encouraged)
image

Open with Devin

@WillTaylorDev WillTaylorDev requested review from a team as code owners March 4, 2026 12:11
@github-project-automation github-project-automation bot moved this to Untriaged in workers-sdk Mar 4, 2026
@changeset-bot
Copy link

changeset-bot bot commented Mar 4, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 2054c03

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@workers-devprod
Copy link
Contributor

workers-devprod commented Mar 4, 2026
edited
Loading

Codeowners approval required for this PR:

  • ✅ @cloudflare/deploy-config
  • ✅ @cloudflare/wrangler
Show detailed file reviewers

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026
edited
Loading

✅ All changesets look good

petebacondarwin
petebacondarwin reviewed Mar 4, 2026
View reviewed changes
petebacondarwin
petebacondarwin reviewed Mar 4, 2026
View reviewed changes
devin-ai-integration[bot]
devin-ai-integration bot reviewed Mar 4, 2026
View reviewed changes
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

Open in Devin Review

@WillTaylorDev
[workers-shared] fix: Normalize backslash characters in /cdn-cgi paths
2054c03 
Redirect requests containing backslash characters in /cdn-cgi paths to their
normalized equivalents. Some browsers and HTTP clients treat backslashes as
path separators inconsistently, which could lead to unexpected routing behavior.

This change normalizes the URL and issues a 307 redirect to ensure consistent
handling across all clients.
@WillTaylorDev WillTaylorDev force-pushed the willtaylor/security-cdn-cgi branch from 8951402 to 2054c03 Compare March 4, 2026 12:15
petebacondarwin
petebacondarwin approved these changes Mar 4, 2026
View reviewed changes
Copy link
Contributor

@petebacondarwin petebacondarwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great! With those two tiny comments

@github-project-automation github-project-automation bot moved this from Untriaged to Approved in workers-sdk Mar 4, 2026
devin-ai-integration[bot]
devin-ai-integration bot reviewed Mar 4, 2026
View reviewed changes
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 new potential issue.

View 8 additional findings in Devin Review.

Open in Devin Review

@pkg-pr-new
Copy link

pkg-pr-new bot commented Mar 4, 2026

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@12752

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@12752

miniflare

npm i https://pkg.pr.new/miniflare@12752

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@12752

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@12752

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@12752

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@12752

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@12752

wrangler

npm i https://pkg.pr.new/wrangler@12752

commit: 694cfef

@WillTaylorDev WillTaylorDev merged commit 00a4356 into main Mar 4, 2026
43 of 50 checks passed
@github-project-automation github-project-automation bot moved this from Approved to Done in workers-sdk Mar 4, 2026
@WillTaylorDev WillTaylorDev deleted the willtaylor/security-cdn-cgi branch March 4, 2026 15:00
@workers-devprod workers-devprod mentioned this pull request Mar 4, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@petebacondarwin petebacondarwin petebacondarwin approved these changes

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@for-the-kidz for-the-kidz for-the-kidz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

workers-sdk
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@WillTaylorDev @workers-devprod @petebacondarwin @for-the-kidz