Fix PathTraversal to work against PATH_INFO in capitals

sinatra · Apr 16, 2013 · 7875ec5 · 7875ec5
1 parent 7c4b33b
commit 7875ec5
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/lib/rack/protection/path_traversal.rb b/lib/rack/protection/path_traversal.rb
@@ -20,7 +20,7 @@ def call(env)
 
       def cleanup(path)
         parts     = []
-        unescaped = path.gsub('%2e', '.').gsub('%2f', '/')
+        unescaped = path.gsub(/%2e/i, '.').gsub(/%2f/i, '/')
 
         unescaped.split('/').each do |part|
           next if part.empty? or part == '.'

diff --git a/spec/path_traversal_spec.rb b/spec/path_traversal_spec.rb
@@ -14,8 +14,8 @@
 
     { # yes, this is ugly, feel free to change that
       '/..' => '/', '/a/../b' => '/b', '/a/../b/' => '/b/', '/a/.' => '/a/',
-      '/%2e.' => '/', '/a/%2e%2e/b' => '/b', '/a%2f%2e%2e%2fb/' => '/b/',
-      '//' => '/', '/%2fetc%2fpasswd' => '/etc/passwd'
+      '/%2e.' => '/', '/a/%2E%2e/b' => '/b', '/a%2f%2E%2e%2Fb/' => '/b/',
+      '//' => '/', '/%2fetc%2Fpasswd' => '/etc/passwd'
     }.each do |a, b|
       it("replaces #{a.inspect} with #{b.inspect}") { get(a).body.should == b }
     end