rt 4.0.20 (RT#13852)

author: Ivan Kohler <ivan@freeside.biz> 2014-05-27 15:20:05 -0700
committer: Ivan Kohler <ivan@freeside.biz> 2014-05-30 13:00:41 -0700
commit: 0ea23112cfa0d82738b0f08d60d90579721b7524 (patch)
tree: 392dee3654d0f3839944f748819a39c8ce20192c /rt/lib/RT/Interface/Web/Handler.pm
parent: 60dd95422a1ad4724e0c5d9dd7f8e8878cd96aa8 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/rt/lib/RT/Interface/Web/Handler.pm b/rt/lib/RT/Interface/Web/Handler.pm
index 37031b18d..07e770724 100644
--- a/rt/lib/RT/Interface/Web/Handler.pm
+++ b/rt/lib/RT/Interface/Web/Handler.pm
@@ -278,7 +278,7 @@ sub PSGIApp {
         # CGI.pm normalizes .. out of paths so when you requested
         # /NoAuth/../Ticket/Display.html we saw Ticket/Display.html
         # PSGI doesn't normalize .. so we have to deal ourselves.
-        if ( $req->path_info =~ m{/\.} ) {
+        if ( $req->path_info =~ m{(^|/)\.\.?(/|$)} ) {
             $RT::Logger->crit("Invalid request for ".$req->path_info." aborting");
             my $res = Plack::Response->new(400);
             return $self->_psgi_response_cb($res->finalize,sub { $self->CleanupRequest });
author	Ivan Kohler <ivan@freeside.biz>	2014-05-27 15:20:05 -0700
committer	Ivan Kohler <ivan@freeside.biz>	2014-05-30 13:00:41 -0700
commit	0ea23112cfa0d82738b0f08d60d90579721b7524 (patch)
tree	392dee3654d0f3839944f748819a39c8ce20192c /rt/lib/RT/Interface/Web/Handler.pm
parent	60dd95422a1ad4724e0c5d9dd7f8e8878cd96aa8 (diff)