From c5922713bc199600bc8c203155a4016c9d24cbbc Mon Sep 17 00:00:00 2001 From: Ivan Kohler Date: Tue, 27 May 2014 15:20:05 -0700 Subject: rt 4.0.20 (RT#13852) --- rt/lib/RT/Interface/Web/Handler.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'rt/lib/RT/Interface/Web') diff --git a/rt/lib/RT/Interface/Web/Handler.pm b/rt/lib/RT/Interface/Web/Handler.pm index 37031b18d..07e770724 100644 --- a/rt/lib/RT/Interface/Web/Handler.pm +++ b/rt/lib/RT/Interface/Web/Handler.pm @@ -278,7 +278,7 @@ sub PSGIApp { # CGI.pm normalizes .. out of paths so when you requested # /NoAuth/../Ticket/Display.html we saw Ticket/Display.html # PSGI doesn't normalize .. so we have to deal ourselves. - if ( $req->path_info =~ m{/\.} ) { + if ( $req->path_info =~ m{(^|/)\.\.?(/|$)} ) { $RT::Logger->crit("Invalid request for ".$req->path_info." aborting"); my $res = Plack::Response->new(400); return $self->_psgi_response_cb($res->finalize,sub { $self->CleanupRequest }); -- cgit v1.2.1