Prevent bypassing safe guard in pathbuf segments

lib/src/request/param.rs

@@ -290,13 +290,15 @@ impl<'a> FromSegments<'a> for PathBuf {
     fn from_segments(segments: Segments<'a>) -> Result<PathBuf, Utf8Error> {
         let mut buf = PathBuf::new();
         for segment in segments {
-            let decoded = URI::percent_decode(segment.as_bytes())?;
+            let decoded_seg = URI::percent_decode(segment.as_bytes())?;
+            for decoded in Segments(&decoded_seg) {
                 if decoded == ".." {
                     buf.pop();
                 } else if !(decoded.starts_with('.') || decoded.starts_with('*')) {
                     buf.push(&*decoded)
                 }
             }
+        }
 
         Ok(buf)
     }

lib/tests/secure-pathbuf-param.rs

@@ -0,0 +1,29 @@
+#![feature(plugin)]
+#![plugin(rocket_codegen)]
+
+extern crate rocket;
+
+use std::path::PathBuf;
+
+#[get("/<path..>")]
+fn none(path: PathBuf) -> String {
+    path.to_string_lossy().into()
+}
+
+#[cfg(feature = "testing")]
+mod tests {
+    use super::*;
+    use rocket::testing::MockRequest;
+    use rocket::http::Method::*;
+
+    #[test]
+    fn secure_segments() {
+        let rocket = rocket::ignite()
+            .mount("/", routes![none]);
+
+        let mut req = MockRequest::new(Get, "hello%2f..%2f..%2f..%2fetc%2fpasswd");
+        let mut response = req.dispatch_with(&rocket);
+        let body_str = response.body().and_then(|b| b.into_string());
+        assert_eq!(body_str, Some("etc/passwd".into()));
+    }
+}