From 88cd2f0456e3cecc4b85f24a5849642c0a9aa67a Mon Sep 17 00:00:00 2001
From: ITO Nobuaki <daydream.trippers@gmail.com>
Date: Tue, 16 Apr 2013 10:52:19 +0900
Subject: [PATCH] Fix PathTraversal to work against PATH_INFO in capitals

---
 rack-protection/lib/rack/protection/path_traversal.rb | 2 +-
 rack-protection/spec/path_traversal_spec.rb           | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/rack-protection/lib/rack/protection/path_traversal.rb b/rack-protection/lib/rack/protection/path_traversal.rb
index e78c4b2d..dc232492 100644
--- a/rack-protection/lib/rack/protection/path_traversal.rb
+++ b/rack-protection/lib/rack/protection/path_traversal.rb
@@ -20,7 +20,7 @@ module Rack
 
       def cleanup(path)
         parts     = []
-        unescaped = path.gsub('%2e', '.').gsub('%2f', '/')
+        unescaped = path.gsub(/%2e/i, '.').gsub(/%2f/i, '/')
 
         unescaped.split('/').each do |part|
           next if part.empty? or part == '.'
diff --git a/rack-protection/spec/path_traversal_spec.rb b/rack-protection/spec/path_traversal_spec.rb
index 6b47705c..b5a6bdc9 100644
--- a/rack-protection/spec/path_traversal_spec.rb
+++ b/rack-protection/spec/path_traversal_spec.rb
@@ -14,8 +14,8 @@ describe Rack::Protection::PathTraversal do
 
     { # yes, this is ugly, feel free to change that
       '/..' => '/', '/a/../b' => '/b', '/a/../b/' => '/b/', '/a/.' => '/a/',
-      '/%2e.' => '/', '/a/%2e%2e/b' => '/b', '/a%2f%2e%2e%2fb/' => '/b/',
-      '//' => '/', '/%2fetc%2fpasswd' => '/etc/passwd'
+      '/%2e.' => '/', '/a/%2E%2e/b' => '/b', '/a%2f%2E%2e%2Fb/' => '/b/',
+      '//' => '/', '/%2fetc%2Fpasswd' => '/etc/passwd'
     }.each do |a, b|
       it("replaces #{a.inspect} with #{b.inspect}") { get(a).body.should == b }
     end