Avoid path traversal attacks

While not currently exploitable due to the configuration of
the destination CLA server, if the lookups were done on a local
filesystem instead of via URL, or if sensitive JSON files (like
those containing passwords) were exposed on the target server,
it would be possible for an attacker to access sensitive
information if they could guess a filename.

Author: csnover

themes/contribute.jquery.org/cla-check.php

@@ -37,6 +37,11 @@ function getData() {
 	}
 
 	$path = "$owner/$repo/" . substr( $sha, 0, 2 ) . "/$sha.json";
+
+	if ( strpos( $path, '..' ) !== FALSE ) {
+		return null;
+	}
+
 	$data = @file_get_contents( JQUERY_CLA_SERVER_URL . "/$path" );
 
 	if ( !$data ) {