sinatra / rack-protection

NOTE: This project has been merged upstream to sinatra/sinatra
https://github.com/sinatra/sinatra/tree/master/rack-protection
818 stars 58 forks source link

Fix PathTraversal to leave encoding of PATH_INFO unchanged #54

Closed dayflower closed 11 years ago

dayflower commented 11 years ago

In current implementation, PathTraversal#cleanup method changes encoding of env['PATH_INFO'] to US-ASCII (script default encoding) from ASCII-8BIT on Ruby 1.9.x. (Ruby 2.0+ is safe) Because US-ASCII is not 8bit clean, that behavior breaks some modules (such as http_router ) when we access URLs with non-latin characters.

So I wrote the patch encoding in Ruby 1.9+ aware.

Also dayflower@7875ec5 commit is attached to this pull-request, in which escape chars in captals (eg. %2E) avoidance is fixed.