Merge pull request #1379 from orangetw/master

enhanced path validation in Windows
2023-03-27 23:18:01 -04:00 · 2018-02-11 15:49:21 +09:00 · 2018-02-11 15:49:21 +09:00 · 6bcc6c3499
commit 6bcc6c3499
parent d661739853 ba7af51bd7
1 changed files with 4 additions and 1 deletions
--- a/rack-protection/lib/rack/protection/path_traversal.rb
+++ b/rack-protection/lib/rack/protection/path_traversal.rb
@ -24,14 +24,17 @@ module Rack
          encoding = path.encoding
          dot   = '.'.encode(encoding)
          slash = '/'.encode(encoding)
+          backslash = '\\'.encode(encoding)
        else
          # Ruby 1.8
          dot   = '.'
          slash = '/'
+          backslash = '\\'
        end

        parts     = []
-        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash)
+        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
+        unescaped = unescaped.gsub(backslash, slash)

        unescaped.split(slash).each do |part|
          next if part.empty? or part == dot