url.lua:remove_dot_components(): limit beginning-of-string double-dot corner case to prevent triple-dot activation and authority collision

2024-11-08 14:28:21 +01:00 · 2018-08-21 09:07:42 -06:00 · 2018-08-21 09:07:42 -06:00 · c570a32c21
commit c570a32c21
parent c905b5d44f
2 changed files with 2 additions and 1 deletions
--- a/src/url.lua
+++ b/src/url.lua
@ -94,7 +94,7 @@ local function remove_dot_components(path)
    path = path:gsub('[^/]+/%.%./*$', '')
    path = path:gsub('/%.%.$', '/')
    path = path:gsub('/%.$', '/')
-    path = path:gsub('^/%.%.', '')
+    path = path:gsub('^/%.%./', '/')
    return path
 end

--- a/test/urltest.lua
+++ b/test/urltest.lua
@ -685,6 +685,7 @@ check_absolute_url("a/b/c/d/../", "d/e/f", "a/b/c/d/e/f")
 check_absolute_url("http://velox.telemar.com.br", "/dashboard/index.html", 
   "http://velox.telemar.com.br/dashboard/index.html")
 check_absolute_url("http://example.com/", "../.badhost.com/", "http://example.com/.badhost.com/")
+check_absolute_url("http://example.com/", "...badhost.com/", "http://example.com/...badhost.com/")

 print("testing path parsing and composition")
 check_parse_path("/eu/tu/ele", { "eu", "tu", "ele"; is_absolute = 1 })