url.lua:remove_dot_components(): limit beginning-of-string double-dot corner case to prevent triple-dot activation and authority collision

2 files changed, 2 insertions, 1 deletions

diff --git a/src/url.lua b/src/url.lua
index a354ab5..0d88adb 100644
--- a/src/url.lua
+++ b/src/url.lua
@@ -94,7 +94,7 @@ local function remove_dot_components(path)
     path = path:gsub('[^/]+/%.%./*$', '')
     path = path:gsub('/%.%.$', '/')
     path = path:gsub('/%.$', '/')
-    path = path:gsub('^/%.%.', '')
+    path = path:gsub('^/%.%./', '/')
     return path
 end
 
diff --git a/test/urltest.lua b/test/urltest.lua
index 649be88..8664fa6 100644
--- a/test/urltest.lua
+++ b/test/urltest.lua
@@ -685,6 +685,7 @@ check_absolute_url("a/b/c/d/../", "d/e/f", "a/b/c/d/e/f")
 check_absolute_url("http://velox.telemar.com.br", "/dashboard/index.html", 
    "http://velox.telemar.com.br/dashboard/index.html")
 check_absolute_url("http://example.com/", "../.badhost.com/", "http://example.com/.badhost.com/")
+check_absolute_url("http://example.com/", "...badhost.com/", "http://example.com/...badhost.com/")
 
 print("testing path parsing and composition")
 check_parse_path("/eu/tu/ele", { "eu", "tu", "ele"; is_absolute = 1 })