X-Git-Url: http://git.freeside.biz/gitweb/?a=blobdiff_plain;f=rt%2Ft%2Fweb%2Fpath-traversal.t;h=01302e672b2846dbb3129a81f99929278d9ab85d;hb=0ea23112cfa0d82738b0f08d60d90579721b7524;hp=8d2f5cc88c47a6b2a5bd9ef8ca509bab2420bb7e;hpb=75162bb14b3e38d66617077843f4dfdcaf09d5c4;p=freeside.git

diff --git a/rt/t/web/path-traversal.t b/rt/t/web/path-traversal.t
index 8d2f5cc88..01302e672 100644
--- a/rt/t/web/path-traversal.t
+++ b/rt/t/web/path-traversal.t
@@ -1,9 +1,10 @@
 use strict;
 use warnings;
 
-use RT::Test tests => 20;
+use RT::Test tests => undef;
 
 my ($baseurl, $agent) = RT::Test->started_ok;
+ok($agent->login);
 
 $agent->get("$baseurl/NoAuth/../Elements/HeaderJavascript");
 is($agent->status, 400);
@@ -19,11 +20,23 @@ $agent->warning_like(qr/Invalid request.*aborting/,);
 
 $agent->get("$baseurl/NoAuth/../../../etc/RT_Config.pm");
 is($agent->status, 400);
-$agent->warning_like(qr/Invalid request.*aborting/,);
+SKIP: {
+    skip "Apache rejects busting up above / for us", 2 if $ENV{RT_TEST_WEB_HANDLER} =~ /^apache/;
+    $agent->warning_like(qr/Invalid request.*aborting/,);
+};
 
 $agent->get("$baseurl/NoAuth/css/web2/images/../../../../../../etc/RT_Config.pm");
 is($agent->status, 400);
-$agent->warning_like(qr/Invalid request.*aborting/,);
+SKIP: {
+    skip "Apache rejects busting up above / for us", 2 if $ENV{RT_TEST_WEB_HANDLER} =~ /^apache/;
+    $agent->warning_like(qr/Invalid request.*aborting/,);
+};
+
+# Do not reject a simple /. in the URL, for downloading uploaded
+# dotfiles, for example.
+$agent->get("$baseurl/Ticket/Attachment/28/9/.bashrc");
+is($agent->status, 200); # Even for a file not found, we return 200
+$agent->content_contains("Bad attachment id");
 
 # do not reject these URLs, even though they contain /. outside the path
 $agent->get("$baseurl/index.html?ignored=%2F%2E");
@@ -38,3 +51,5 @@ is($agent->status, 200);
 $agent->get("$baseurl/index.html#/.");
 is($agent->status, 200);
 
+undef $agent;
+done_testing;