Is opium sanitising paths?

[ghost]

Say one does:

let print_ymd =
  get "/:title"
      begin fun req ->
      let filename = param req "title" in
      let filepath = "dir/" ^ filename in
      `Html load_file filepath |> respond'
      end

There could be an issue with a malicious request containing ../../. But using telnet I noticed that opium seems to ignore the first ../../. Is that normal behaviour?

[rgrinberg]

I've added a test to verify that indeed opium route params don't match such params.

https://github.com/rgrinberg/opium/commit/98fa61b853a5d34a3c11dc9c4804759b5db98842

I'll have to investigate the cause of the redirection further. Perhaps it's done at the cohttp layer.