More security for path

lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Router.pm

@@ -112,7 +112,11 @@ sub handler {
     }
 
     # Only words are taken in path
-    my @path = grep { $_ =~ /^[\.\w]+/ } split /\//, $req->path();
+    my $last = 0;
+    my @path = grep {
+        $last = 1 if ( $_ =~ /[^\.\w]/ );
+        ( $last or /^$/ ? 0 : 1 );
+    } split /\//, $req->path();
     $self->lmLog( "Start routing " . ( $path[0] // 'default route' ), 'debug' );
 
     if ( !@path and $self->defaultRoute ) {
@@ -136,7 +140,7 @@ sub followPath {
     }
     if ( $routes->{':'} ) {
         my $v = shift @$path;
-        $req->set_param($routes->{'#'}, $v);
+        $req->set_param( $routes->{'#'}, $v );
         if ( ref( $routes->{':'} ) eq 'CODE' ) {
             return $routes->{':'}->( $self, $req, @$path );
         }

lemonldap-ng-handler/t/63-Lemonldap-NG-Handler-PSGI-Try.t

@@ -62,6 +62,12 @@ ok( $res->[2]->[0] eq 'Auth', 'Get auth result' )
   or print "Expect Auth, got $res->[2]->[0]\n";
 count(3);
 
+# Pad path test
+
+ok($res = $client->_get('/[]/test'), 'Try a bad path');
+ok( $res->[0] == 400, 'Response is 400' );
+count(2);
+
 clean();
 
 done_testing( count() );