The API permits path traversal characters like '../' to be passed down
to the template finder. Detect these requests and cause them to fail
with a 500 response code.
In Ruby 2.4, `URI.join("http://test//", "a").to_s` will
remove the double slash, however it's not the case in
Ruby 2.5. Using chomp should work better for the intention,
as we're not trying to allow things like ../ or / paths
resolution.
This helper method append path to host, making sure
there's one single slash as path separator.
Don't allow line breaks on HTTP headers
See merge request gitlab/gitlabhq!2277
(cherry picked from commit 7fc0a6fc096768a5604d6dd24d7d952e53300c82)
073b8f9c Don't allow line breaks on HTTP headers
Nick Thomas
Douglas Barbosa Alexandre
Rubén Dávila
Mario de la Ossa
Robert Speicher
Michael Kozono
Bob Van Landuyt
vanadium23
Rémy Coutable
Lin Jen-Shin
Douwe Maan
Felipe Artur