import rt 3.8.10

1 files changed, 40 insertions, 0 deletions

diff --git a/rt/t/web/path-traversal.t b/rt/t/web/path-traversal.t
new file mode 100644
index 000000000..8d2f5cc88
--- /dev/null
+++ b/rt/t/web/path-traversal.t
@@ -0,0 +1,40 @@
+use strict;
+use warnings;
+
+use RT::Test tests => 20;
+
+my ($baseurl, $agent) = RT::Test->started_ok;
+
+$agent->get("$baseurl/NoAuth/../Elements/HeaderJavascript");
+is($agent->status, 400);
+$agent->warning_like(qr/Invalid request.*aborting/,);
+
+$agent->get("$baseurl/NoAuth/../%45lements/HeaderJavascript");
+is($agent->status, 400);
+$agent->warning_like(qr/Invalid request.*aborting/,);
+
+$agent->get("$baseurl/NoAuth/%2E%2E/Elements/HeaderJavascript");
+is($agent->status, 400);
+$agent->warning_like(qr/Invalid request.*aborting/,);
+
+$agent->get("$baseurl/NoAuth/../../../etc/RT_Config.pm");
+is($agent->status, 400);
+$agent->warning_like(qr/Invalid request.*aborting/,);
+
+$agent->get("$baseurl/NoAuth/css/web2/images/../../../../../../etc/RT_Config.pm");
+is($agent->status, 400);
+$agent->warning_like(qr/Invalid request.*aborting/,);
+
+# do not reject these URLs, even though they contain /. outside the path
+$agent->get("$baseurl/index.html?ignored=%2F%2E");
+is($agent->status, 200);
+
+$agent->get("$baseurl/index.html?ignored=/.");
+is($agent->status, 200);
+
+$agent->get("$baseurl/index.html#%2F%2E");
+is($agent->status, 200);
+
+$agent->get("$baseurl/index.html#/.");
+is($agent->status, 200);
+