import rt 3.8.10

[freeside.git] / rt / lib / RT / Interface / Web / Standalone.pm

diff --git a/rt/lib/RT/Interface/Web/Standalone.pm b/rt/lib/RT/Interface/Web/Standalone.pm
index 91dbac3..3157e31 100755 (executable)
--- a/rt/lib/RT/Interface/Web/Standalone.pm
+++ b/rt/lib/RT/Interface/Web/Standalone.pm
@@ -77,6 +77,15 @@ sub handle_request {
 
     Module::Refresh->refresh if RT->Config->Get('DevelMode');
     RT::ConnectToDatabase() unless RT->InstallMode;
+
+    # Each environment has its own way of handling .. and so on in paths,
+    # so RT consistently forbids such paths.
+    if ( $cgi->path_info =~ m{/\.} ) {
+        $RT::Logger->crit("Invalid request for ".$cgi->path_info." aborting");
+        print STDOUT "HTTP/1.0 400\r\n\r\n";
+        return RT::Interface::Web::Handler->CleanupRequest();
+    }
+
     $self->SUPER::handle_request($cgi);
     $RT::Logger->crit($@) if $@ && $RT::Logger;
     warn $@ if $@ && !$RT::Logger;