diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2014-05-27 15:20:05 -0700 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2014-05-27 15:20:05 -0700 |
| commit | c5922713bc199600bc8c203155a4016c9d24cbbc (patch) | |
| tree | 1b9ec8323fdab801c4ca6aaf74234bfe8f74c56c /rt/t/web | |
| parent | 7c841dec307feed06ee532ac18e4114ef68243a8 (diff) | |
rt 4.0.20 (RT#13852)
Diffstat (limited to 'rt/t/web')
| -rw-r--r-- | rt/t/web/path-traversal.t | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/rt/t/web/path-traversal.t b/rt/t/web/path-traversal.t index 5d5c954a1..01302e672 100644 --- a/rt/t/web/path-traversal.t +++ b/rt/t/web/path-traversal.t @@ -1,9 +1,10 @@ use strict; use warnings; -use RT::Test tests => 22; +use RT::Test tests => undef; my ($baseurl, $agent) = RT::Test->started_ok; +ok($agent->login); $agent->get("$baseurl/NoAuth/../Elements/HeaderJavascript"); is($agent->status, 400); @@ -31,6 +32,12 @@ SKIP: { $agent->warning_like(qr/Invalid request.*aborting/,); }; +# Do not reject a simple /. in the URL, for downloading uploaded +# dotfiles, for example. +$agent->get("$baseurl/Ticket/Attachment/28/9/.bashrc"); +is($agent->status, 200); # Even for a file not found, we return 200 +$agent->content_contains("Bad attachment id"); + # do not reject these URLs, even though they contain /. outside the path $agent->get("$baseurl/index.html?ignored=%2F%2E"); is($agent->status, 200); @@ -44,3 +51,5 @@ is($agent->status, 200); $agent->get("$baseurl/index.html#/."); is($agent->status, 200); +undef $agent; +done_testing; |