add ssl_no_verify option to all http exports, RT#29298

[freeside.git] / rt / bin / mason_handler.fcgi.in

diff --git a/rt/bin/mason_handler.fcgi.in b/rt/bin/mason_handler.fcgi.in
index b980bc1..7f1ce8d 100644 (file)
--- a/rt/bin/mason_handler.fcgi.in
+++ b/rt/bin/mason_handler.fcgi.in
@@ -3,7 +3,7 @@
 #
 # COPYRIGHT:
 #
-# This software is Copyright (c) 1996-2011 Best Practical Solutions, LLC
+# This software is Copyright (c) 1996-2013 Best Practical Solutions, LLC
 #                                          <sales@bestpractical.com>
 #
 # (Except where explicitly superseded by other copyright notices)
@@ -68,6 +68,17 @@ while ( my $cgi = CGI::Fast->new ) {
     Module::Refresh->refresh if RT->Config->Get('DevelMode');
     RT::ConnectToDatabase();
 
+    # Each environment has its own way of handling .. and so on in paths,
+    # so RT consistently forbids such paths.
+    if ( $cgi->path_info =~ m{/\.} ) {
+        $RT::Logger->crit("Invalid request for ".$cgi->path_info." aborting");
+        print STDOUT "HTTP/1.0 400\r\n\r\n";
+
+        RT::Interface::Web::Handler->CleanupRequest();
+
+        next;
+    }
+
     my $interp = $RT::Mason::Handler->interp;
     if (
         !$interp->comp_exists( $cgi->path_info )