class Rack::Protection::PathTraversal

Thus GET /foo/%2e%2e%2fbar becomes GET /bar.
Unescapes ‘/’ and ‘.’, expands path_info.
More infos
en.wikipedia.org/wiki/Directory_traversal<br>Supported browsers
all
Prevented attack

Directory traversal
#

def call(env)

def call(env)
  path_was         = env["PATH_INFO"]
  env["PATH_INFO"] = cleanup path_was if path_was
  app.call env
ensure
  env["PATH_INFO"] = path_was
end

def cleanup(path)

def cleanup(path)
  parts     = []
  unescaped = path.gsub('%2e', '.').gsub('%2f', '/')
  unescaped.split('/').each do |part|
    next if part.empty? or part == '.'
    part == '..' ? parts.pop : parts << part
  end
  cleaned = '/' << parts.join('/')
  cleaned << '/' if parts.any? and unescaped =~ /\/\.{0,2}$/
  cleaned
end