class Rack::Protection::PathTraversal

Thus GET /foo/%2e%2e%2fbar becomes GET /bar.
Unescapes ‘/’ and ‘.’, expands path_info.
More infos
en.wikipedia.org/wiki/Directory_traversal<br>Supported browsers
all
Prevented attack

Directory traversal
#

def call(env)

def call(env)
  path_was         = env['PATH_INFO']
  env['PATH_INFO'] = cleanup path_was if path_was && !path_was.empty?
  app.call env
ensure
  env['PATH_INFO'] = path_was
end

def cleanup(path)

def cleanup(path)
  encoding = path.encoding
  dot   = '.'.encode(encoding)
  slash = '/'.encode(encoding)
  backslash = '\\'.encode(encoding)
  parts     = []
  unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
  unescaped = unescaped.gsub(backslash, slash)
  unescaped.split(slash).each do |part|
    next if part.empty? || (part == dot)
    part == '..' ? parts.pop : parts << part
  end
  cleaned = slash + parts.join(slash)
  cleaned << slash if parts.any? && unescaped =~ (%r{/\.{0,2}$})
  cleaned
end