diegonehab
/
luasocket
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

url.lua:remove_dot_components(): limit beginning-of-string double-dot corner case to prevent triple-dot activation and authority collision

master
E. Westbrook 2018-08-21 09:07:42 -06:00
parent c905b5d44f
commit c570a32c21
2 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/url.lua
View File

@ -94,7 +94,7 @@ local function remove_dot_components(path)
path = path:gsub('[^/]+/%.%./*$', '')
path = path:gsub('/%.%.$', '/')
path = path:gsub('/%.$', '/')
path = path:gsub('^/%.%.', '')
path = path:gsub('^/%.%./', '/')
return path
end

1
test/urltest.lua
View File

@ -685,6 +685,7 @@ check_absolute_url("a/b/c/d/../", "d/e/f", "a/b/c/d/e/f")
check_absolute_url("http://velox.telemar.com.br", "/dashboard/index.html",
"http://velox.telemar.com.br/dashboard/index.html")
check_absolute_url("http://example.com/", "../.badhost.com/", "http://example.com/.badhost.com/")
check_absolute_url("http://example.com/", "...badhost.com/", "http://example.com/...badhost.com/")
print("testing path parsing and composition")
check_parse_path("/eu/tu/ele", { "eu", "tu", "ele"; is_absolute = 1 })