From c5922713bc199600bc8c203155a4016c9d24cbbc Mon Sep 17 00:00:00 2001
From: Ivan Kohler <ivan@freeside.biz>
Date: Tue, 27 May 2014 15:20:05 -0700
Subject: rt 4.0.20 (RT#13852)

---
 rt/t/web/path-traversal.t | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'rt/t/web')

diff --git a/rt/t/web/path-traversal.t b/rt/t/web/path-traversal.t
index 5d5c954a1..01302e672 100644
--- a/rt/t/web/path-traversal.t
+++ b/rt/t/web/path-traversal.t
@@ -1,9 +1,10 @@
 use strict;
 use warnings;
 
-use RT::Test tests => 22;
+use RT::Test tests => undef;
 
 my ($baseurl, $agent) = RT::Test->started_ok;
+ok($agent->login);
 
 $agent->get("$baseurl/NoAuth/../Elements/HeaderJavascript");
 is($agent->status, 400);
@@ -31,6 +32,12 @@ SKIP: {
     $agent->warning_like(qr/Invalid request.*aborting/,);
 };
 
+# Do not reject a simple /. in the URL, for downloading uploaded
+# dotfiles, for example.
+$agent->get("$baseurl/Ticket/Attachment/28/9/.bashrc");
+is($agent->status, 200); # Even for a file not found, we return 200
+$agent->content_contains("Bad attachment id");
+
 # do not reject these URLs, even though they contain /. outside the path
 $agent->get("$baseurl/index.html?ignored=%2F%2E");
 is($agent->status, 200);
@@ -44,3 +51,5 @@ is($agent->status, 200);
 $agent->get("$baseurl/index.html#/.");
 is($agent->status, 200);
 
+undef $agent;
+done_testing;
-- 
cgit v1.2.1