Closed kj closed 5 years ago
The path is split after URI.unescape is called on it, which means that if the path contains '%2F' (the escaped forward slash character), it will be converted to a slash and split on.
Okay, it appears there's more to fixing this than the above, as this doesn't take into account when PATH_INFO gets rewritten.
The path is split after URI.unescape is called on it, which means that if the path contains '%2F' (the escaped forward slash character), it will be converted to a slash and split on.