diff options
author | Douwe Maan <douwe@gitlab.com> | 2019-04-09 10:02:33 +0000 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2019-04-09 10:02:33 +0000 |
commit | 089b9e572c47fb9239e2516f6b1e66a890b90619 (patch) | |
tree | 96f493bd5501097270c004c823936c92f1074b8c /app | |
parent | 7a7808e3ccbfa7c4ea37e4d7ea4421f778027b17 (diff) | |
parent | 29a68cc5bc0583b61457dedc78529f97491558f0 (diff) | |
download | gitlab-ce-089b9e572c47fb9239e2516f6b1e66a890b90619.tar.gz |
Merge branch 'improve/rack-clean-path-info' into 'master'
Use Rack::Utils.clean_path_info instead of copy-pasted version.
See merge request gitlab-org/gitlab-ce!27001
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/help_controller.rb | 33 |
1 files changed, 1 insertions, 32 deletions
diff --git a/app/controllers/help_controller.rb b/app/controllers/help_controller.rb index a9d6addd4a4..10cdce98437 100644 --- a/app/controllers/help_controller.rb +++ b/app/controllers/help_controller.rb @@ -22,7 +22,7 @@ class HelpController < ApplicationController end def show - @path = clean_path_info(path_params[:path]) + @path = Rack::Utils.clean_path_info(path_params[:path]) respond_to do |format| format.any(:markdown, :md, :html) do @@ -75,35 +75,4 @@ class HelpController < ApplicationController params end - - PATH_SEPS = Regexp.union(*[::File::SEPARATOR, ::File::ALT_SEPARATOR].compact) - - # Taken from ActionDispatch::FileHandler - # Cleans up the path, to prevent directory traversal outside the doc folder. - def clean_path_info(path_info) - parts = path_info.split(PATH_SEPS) - - clean = [] - - # Walk over each part of the path - parts.each do |part| - # Turn `one//two` or `one/./two` into `one/two`. - next if part.empty? || part == '.' - - if part == '..' - # Turn `one/two/../` into `one` - clean.pop - else - # Add simple folder names to the clean path. - clean << part - end - end - - # If the path was an absolute path (i.e. `/` or `/one/two`), - # add `/` to the front of the clean path. - clean.unshift '/' if parts.empty? || parts.first.empty? - - # Join all the clean path parts by the path separator. - ::File.join(*clean) - end end |