From 4636041f5eea628067d56158428c35230e008149 Mon Sep 17 00:00:00 2001
From: Graham Knop <graham@plainblack.com>
Date: Wed, 10 Jun 2009 00:42:37 +0000
Subject: [PATCH] fixed: assets can have urls with /./ or /../ in them, making
 them inaccessible

---
 docs/changelog/7.x.x.txt  | 1 +
 lib/WebGUI/Session/Url.pm | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index 0c4a1a8e7..6cbe2cbe6 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -9,6 +9,7 @@
  - removed hardcoding of administer.js and survey.css hardcoded extras paths.
  - fixed: Error message when you try to send a message from the Inbox, but none of your friends allow private messaging.
  - fixed: Images uploaded to a Story should all be the same width so the YUI carousel does not break.
+ - fixed: assets can have urls with /./ or /../ in them, making them inaccessible
 
 7.7.9
  - fixed #10266: Public Profile overrides Able to be friend   
diff --git a/lib/WebGUI/Session/Url.pm b/lib/WebGUI/Session/Url.pm
index bcc41be1e..7eef20ec5 100644
--- a/lib/WebGUI/Session/Url.pm
+++ b/lib/WebGUI/Session/Url.pm
@@ -529,6 +529,11 @@ sub urlize {
 	my ($value);
         $value = lc(shift);		#lower cases whole string
 	$value = $self->makeCompliant($value);
+
+    # remove /./ or /../
+    $value =~ s{(^|/)\.\.?/}{$1};
+
+    # remove trailing slashes
 	$value =~ s/\/$//;
         return $value;
 }