Please sign in to comment.
Check for directory traversal after unescaping
The `forbidden_request?` check could be trivially bypassed by percent encoding .. as %2e%2e. After auditing Sprockets and Hike and fuzzing a simple server, I don't believe this is exploitable. However, better safe than sorry/defense in depth/etc.
- Loading branch information...
Showing with 10 additions and 7 deletions.