FIX #yogosha6944 Protection against traversal path.

test/phpunit/SecurityTest.php

@@ -349,7 +349,8 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 		$_POST["param1"]="333";
 		$_GET["param2"]='a/b#e(pr)qq-rr\cc';
 		$_GET["param3"]='"na/b#e(pr)qq-rr\cc';    // Same than param2 + " and n
-		$_GET["param4"]='../dir';
+		$_GET["param4a"]='../../dir';
+		$_GET["param4b"]='..\..\dirwindows';
 		$_GET["param5"]="a_1-b";
 		$_POST["param6"]="&quot;&gt;<svg o&#110;load='console.log(&quot;123&quot;)'&gt;";
 		$_POST["param6b"]='<<<../>../>../svg><<<../>../>../animate =alert(1)>abc';
@@ -394,10 +395,14 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 		print __METHOD__." result=".$result."\n";
 		$this->assertEquals($result, 'na/b#e(pr)qq-rr\cc', 'Test on param3');
 
-		$result=GETPOST("param4", 'alpha');  // Must return string sanitized from ../
+		$result=GETPOST("param4a", 'alpha');  // Must return string sanitized from ../
 		print __METHOD__." result=".$result."\n";
 		$this->assertEquals($result, 'dir');
 
+		$result=GETPOST("param4b", 'alpha');  // Must return string sanitized from ../
+		print __METHOD__." result=".$result."\n";
+		$this->assertEquals($result, 'dirwindows');
+
 		// Test with aZ09
 
 		$result=GETPOST("param1", 'aZ09');
@@ -412,7 +417,11 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 		print __METHOD__." result=".$result."\n";
 		$this->assertEquals($result, '');
 
-		$result=GETPOST("param4", 'aZ09');  // Must return '' as string contains car not in aZ09 definition
+		$result=GETPOST("param4a", 'aZ09');  // Must return '' as string contains car not in aZ09 definition
+		print __METHOD__." result=".$result."\n";
+		$this->assertEquals('', $result);
+
+		$result=GETPOST("param4b", 'aZ09');  // Must return '' as string contains car not in aZ09 definition
 		print __METHOD__." result=".$result."\n";
 		$this->assertEquals('', $result);