From dbb135130e089030d9be86853e4da789f0b84ce9 Mon Sep 17 00:00:00 2001
From: Daniel Lehman <dlehman@esri.com>
Date: Wed, 26 Oct 2016 12:17:17 -0700
Subject: [PATCH 2/2] wininet: Canonicalize URL in HttpOpenRequest

to remove dot segments

Signed-off-by: Daniel Lehman <dlehman@esri.com>
---
 dlls/wininet/http.c       |  7 ++++---
 dlls/wininet/tests/http.c | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/dlls/wininet/http.c b/dlls/wininet/http.c
index b51c6c9..b3c8e66 100644
--- a/dlls/wininet/http.c
+++ b/dlls/wininet/http.c
@@ -3401,13 +3401,14 @@ static DWORD HTTP_HttpOpenRequestW(http_session_t *session,
 
     if (lpszObjectName && *lpszObjectName) {
         HRESULT rc;
+        WCHAR dummy;
 
-        len = 0;
-        rc = UrlEscapeW(lpszObjectName, NULL, &len, URL_ESCAPE_SPACES_ONLY);
+        len = 1;
+        rc = UrlCanonicalizeW(lpszObjectName, &dummy, &len, URL_ESCAPE_SPACES_ONLY);
         if (rc != E_POINTER)
             len = strlenW(lpszObjectName)+1;
         request->path = heap_alloc(len*sizeof(WCHAR));
-        rc = UrlEscapeW(lpszObjectName, request->path, &len,
+        rc = UrlCanonicalizeW(lpszObjectName, request->path, &len,
                    URL_ESCAPE_SPACES_ONLY);
         if (rc != S_OK)
         {
diff --git a/dlls/wininet/tests/http.c b/dlls/wininet/tests/http.c
index f2fe25c..9cda9c5 100644
--- a/dlls/wininet/tests/http.c
+++ b/dlls/wininet/tests/http.c
@@ -2402,6 +2402,10 @@ static DWORD CALLBACK server_thread(LPVOID param)
             send(c, okmsg, sizeof(okmsg)-1, 0);
             send(c, buffer, strlen(buffer), 0);
         }
+        if (strstr(buffer, "GET /test_remove_dot_segments"))
+        {
+            send(c, okmsg, sizeof(okmsg)-1, 0);
+        }
         shutdown(c, 2);
         closesocket(c);
         c = -1;
@@ -4851,6 +4855,20 @@ static void test_long_url(int port)
     close_request(&req);
 }
 
+static void test_remove_dot_segments(int port)
+{
+    test_request_t req;
+    BOOL ret;
+
+    open_simple_request(&req, "localhost", port, NULL, "/A/../B/./C/../../test_remove_dot_segments");
+
+    ret = HttpSendRequestA(req.request, NULL, 0, NULL, 0);
+    ok(ret, "HttpSendRequest failed: %u\n", GetLastError());
+    test_status_code(req.request, 200);
+
+    close_request(&req);
+}
+
 static void test_http_connection(void)
 {
     struct server_info si;
@@ -4902,6 +4920,7 @@ static void test_http_connection(void)
     test_async_read(si.port);
     test_http_read(si.port);
     test_long_url(si.port);
+    test_remove_dot_segments(si.port);
 
     /* send the basic request again to shutdown the server thread */
     test_basic_request(si.port, "GET", "/quit");
-- 
1.9.5