From ae72beb24ef94eef4cf31113c5910c884a368965 Mon Sep 17 00:00:00 2001
From: Fabian Stelzer <fs@gigacodes.de>
Date: Mon, 9 Aug 2021 12:46:26 +0000
Subject: [PATCH] Enable UseEncodedPath() for frontend mux

This allows urls with encoded characters (e.g.: /%2F/) to pass to the
upstream mux instead of triggering a HTTP 301 from the frontend.
Otherwise a /%2F/test/ will result in a HTTP 301 -> /test/
---
 oauthproxy.go      | 4 +++-
 oauthproxy_test.go | 9 +++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/oauthproxy.go b/oauthproxy.go
index e2d20ed..fb6ef0b 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -265,7 +265,9 @@ func (p *OAuthProxy) setupServer(opts *options.Options) error {
 }
 
 func (p *OAuthProxy) buildServeMux(proxyPrefix string) {
-	r := mux.NewRouter()
+	// Use the encoded path here so we can have the option to pass it on in the upstream mux.
+	// Otherwise something like /%2F/ would be redirected to / here already.
+	r := mux.NewRouter().UseEncodedPath()
 	// Everything served by the router must go through the preAuthChain first.
 	r.Use(p.preAuthChain.Then)
 
diff --git a/oauthproxy_test.go b/oauthproxy_test.go
index cb1dcee..3a795f1 100644
--- a/oauthproxy_test.go
+++ b/oauthproxy_test.go
@@ -915,6 +915,15 @@ func TestUserInfoEndpointUnauthorizedOnNoCookieSetError(t *testing.T) {
 	assert.Equal(t, http.StatusUnauthorized, test.rw.Code)
 }
 
+func TestEncodedUrlsStayEncoded(t *testing.T) {
+	encodeTest, err := NewSignInPageTest(false)
+	if err != nil {
+		t.Fatal(err)
+	}
+	code, _ := encodeTest.GetEndpoint("/%2F/test1/%2F/test2")
+	assert.Equal(t, 403, code)
+}
+
 func NewAuthOnlyEndpointTest(querystring string, modifiers ...OptionsModifier) (*ProcessCookieTest, error) {
 	pcTest, err := NewProcessCookieTestWithOptionsModifiers(modifiers...)
 	if err != nil {