Merge pull request #5066 from lest/patch-1

escape static file path to prevent double unescaping

3 files changed, 6 insertions, 1 deletions

diff --git a/actionpack/lib/action_dispatch/middleware/static.rb b/actionpack/lib/action_dispatch/middleware/static.rb
index 404943d720..11c346926c 100644
--- a/actionpack/lib/action_dispatch/middleware/static.rb
+++ b/actionpack/lib/action_dispatch/middleware/static.rb
@@ -18,7 +18,7 @@ module ActionDispatch
       match = matches.detect { |m| File.file?(m) }
       if match
         match.sub!(@compiled_root, '')
-        match
+        ::Rack::Utils.escape(match)
       end
     end
 
diff --git a/actionpack/test/dispatch/static_test.rb b/actionpack/test/dispatch/static_test.rb
index b7a53353a9..d91a857d18 100644
--- a/actionpack/test/dispatch/static_test.rb
+++ b/actionpack/test/dispatch/static_test.rb
@@ -35,6 +35,10 @@ module StaticTests
     assert_html "means hello in Japanese\n", get("/foo/#{Rack::Utils.escape("こんにちは.html")}")
   end
 
+  def test_serves_static_file_with_plus_in_filename
+    assert_html "foo+bar\n", get('/foo/foo%2Bbar.html')
+  end
+
   private
 
     def assert_html(body, response)
diff --git a/actionpack/test/fixtures/public/foo/foo+bar.html b/actionpack/test/fixtures/public/foo/foo+bar.html
new file mode 100644
index 0000000000..92c0ad9ac9
--- /dev/null
+++ b/actionpack/test/fixtures/public/foo/foo+bar.html
@@ -0,0 +1 @@
+foo+bar