Add explanation to HelpController#clean_path_info.

1 files changed, 16 insertions, 3 deletions

diff --git a/app/controllers/help_controller.rb b/app/controllers/help_controller.rb
index 0010caad773..0e5567c7734 100644
--- a/app/controllers/help_controller.rb
+++ b/app/controllers/help_controller.rb
@@ -37,21 +37,34 @@ class HelpController < ApplicationController
   def ui
   end
 
-  # Taken from ActionDispatch::FileHandler
   PATH_SEPS = Regexp.union(*[::File::SEPARATOR, ::File::ALT_SEPARATOR].compact)
 
+  # Taken from ActionDispatch::FileHandler
+  # Cleans up the path, to prevent directory traversal outside the doc folder.
   def clean_path_info(path_info)
-    parts = path_info.split PATH_SEPS
+    parts = path_info.split(PATH_SEPS)
 
     clean = []
 
+    # Walk over each part of the path
     parts.each do |part|
+      # Turn `one//two` or `one/./two` into `one/two`.
       next if part.empty? || part == '.'
-      part == '..' ? clean.pop : clean << part
+
+      if part == '..'
+        # Turn `one/two/../` into `one`
+        clean.pop
+      else
+        # Add simple folder names to the clean path.
+        clean << part
+      end
     end
 
+    # If the path was an absolute path (i.e. `/` or `/one/two`),
+    # add `/` to the front of the clean path.
     clean.unshift '/' if parts.empty? || parts.first.empty?
 
+    # Join all the clean path parts by the path separator.
     ::File.join(*clean)
   end
 end