zhanjh / minify

Automatically exported from code.google.com/p/minify
BSD 3-Clause "New" or "Revised" License
0 stars 0 forks source link

"./" in URL causes 400 Bad Request #198

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Minify version: 2.1.4
PHP version: any

What steps will reproduce the problem?
1. <script type="text/javascript" src="/min/?f=/dojo/dojo.js"></script>

Expected output:

200 OK

Actual output:

400 Bad Request (for URLs such as 
http://localhost/min/?f=/dojo/./_firebug/firebug.js)

This issue is due to line 98 in min/lib/Minify/Controller/MinApp.php:

http://code.google.com/p/minify/source/browse/branches/2.1.4/min/lib/Minify/Cont
roller/MinApp.php#97

Commenting out line 98 fixes this problem. Was the intent of this line to 
exclude URLs that contained "../"?

Original issue reported on code.google.com by rasa7...@gmail.com on 22 Oct 2010 at 3:15

GoogleCodeExporter commented 9 years ago
Since the realpath() of each source file is checked to be inside a set of 
allowed directories, I suppose the prohibition of "../" is unnecessary (and my 
rationale for prohibiting "./" was flimsy, too).

It'll be removed!

Original comment by mrclay....@gmail.com on 22 Oct 2010 at 6:25

GoogleCodeExporter commented 9 years ago
Limitation removed in git master

Original comment by mrclay....@gmail.com on 3 Sep 2011 at 11:31