mirror of
https://github.com/lunarmodules/luasocket.git
synced 2024-12-26 04:28:20 +01:00
url.lua:remove_dot_components(): limit beginning-of-string double-dot corner case to prevent triple-dot activation and authority collision
This commit is contained in:
parent
c905b5d44f
commit
c570a32c21
@ -94,7 +94,7 @@ local function remove_dot_components(path)
|
|||||||
path = path:gsub('[^/]+/%.%./*$', '')
|
path = path:gsub('[^/]+/%.%./*$', '')
|
||||||
path = path:gsub('/%.%.$', '/')
|
path = path:gsub('/%.%.$', '/')
|
||||||
path = path:gsub('/%.$', '/')
|
path = path:gsub('/%.$', '/')
|
||||||
path = path:gsub('^/%.%.', '')
|
path = path:gsub('^/%.%./', '/')
|
||||||
return path
|
return path
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -685,6 +685,7 @@ check_absolute_url("a/b/c/d/../", "d/e/f", "a/b/c/d/e/f")
|
|||||||
check_absolute_url("http://velox.telemar.com.br", "/dashboard/index.html",
|
check_absolute_url("http://velox.telemar.com.br", "/dashboard/index.html",
|
||||||
"http://velox.telemar.com.br/dashboard/index.html")
|
"http://velox.telemar.com.br/dashboard/index.html")
|
||||||
check_absolute_url("http://example.com/", "../.badhost.com/", "http://example.com/.badhost.com/")
|
check_absolute_url("http://example.com/", "../.badhost.com/", "http://example.com/.badhost.com/")
|
||||||
|
check_absolute_url("http://example.com/", "...badhost.com/", "http://example.com/...badhost.com/")
|
||||||
|
|
||||||
print("testing path parsing and composition")
|
print("testing path parsing and composition")
|
||||||
check_parse_path("/eu/tu/ele", { "eu", "tu", "ele"; is_absolute = 1 })
|
check_parse_path("/eu/tu/ele", { "eu", "tu", "ele"; is_absolute = 1 })
|
||||||
|
Loading…
Reference in New Issue
Block a user