Gratipay: Username .. (double dot) should be restricted or handled carefully

2016-07-20T10:23:48
ID H1:152477
Type hackerone
Reporter sh4dow
Modified 2016-07-20T13:46:30

Description

If I change my username to "test" then as in normal case it will send a GET request to /test/settings but if I change my username to ".." (double dot within inverted commas) then it will send GET request to /settings because /../settings will change to /settings and hence final GET request will be to /settings which will show a 404 page. I have attached a video as POC.

Regards!