From c570a32c219c957fd405ed018f2500f06952c043 Mon Sep 17 00:00:00 2001
From: "E. Westbrook" <github@westbrook.io>
Date: Tue, 21 Aug 2018 09:07:42 -0600
Subject: [PATCH] url.lua:remove_dot_components(): limit beginning-of-string
 double-dot corner case to prevent triple-dot activation and authority
 collision

---
 src/url.lua      | 2 +-
 test/urltest.lua | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/url.lua b/src/url.lua
index a354ab5..0d88adb 100644
--- a/src/url.lua
+++ b/src/url.lua
@@ -94,7 +94,7 @@ local function remove_dot_components(path)
     path = path:gsub('[^/]+/%.%./*$', '')
     path = path:gsub('/%.%.$', '/')
     path = path:gsub('/%.$', '/')
-    path = path:gsub('^/%.%.', '')
+    path = path:gsub('^/%.%./', '/')
     return path
 end
 
diff --git a/test/urltest.lua b/test/urltest.lua
index 649be88..8664fa6 100644
--- a/test/urltest.lua
+++ b/test/urltest.lua
@@ -685,6 +685,7 @@ check_absolute_url("a/b/c/d/../", "d/e/f", "a/b/c/d/e/f")
 check_absolute_url("http://velox.telemar.com.br", "/dashboard/index.html", 
    "http://velox.telemar.com.br/dashboard/index.html")
 check_absolute_url("http://example.com/", "../.badhost.com/", "http://example.com/.badhost.com/")
+check_absolute_url("http://example.com/", "...badhost.com/", "http://example.com/...badhost.com/")
 
 print("testing path parsing and composition")
 check_parse_path("/eu/tu/ele", { "eu", "tu", "ele"; is_absolute = 1 })