Fix remove_double_dots_and_double_slashes removing all the dots leading http...

Fix remove_double_dots_and_double_slashes removing all the dots leading http server to serve wrong URI

If the uri is something like '/js/...jquery.js', remove_double_dots_and_double_slashes will remove the 3 dots and the http server will serves the /js/jquery.js file.
remove_double_dots_and_double_slashes should check if a dot or double dots is followed by a slash (or backslash) and only remove this to avoid disclosure attack.

mongoose.c

@@ -2430,7 +2430,9 @@ static void remove_double_dots_and_double_slashes(char *s) {
       // Skip all following slashes, backslashes and double-dots
       while (s[0] != '\0') {
         if (s[0] == '/' || s[0] == '\\') { s++; }
-        else if (s[0] == '.' && s[1] == '.') { s += 2; }
+        else if (s[0] == '.' && (s[1] == '/' || s[1] == '\\')) { s += 2; }
+        else if (s[0] == '.' && s[1] == '.' && s[2] == '\0') { s += 2; }
+        else if (s[0] == '.' && s[1] == '.' && (s[2] == '/' || s[2] == '\\')) { s += 3; }
         else { break; }
       }
     }

test/unit_test.c

@@ -198,17 +198,19 @@ static const char *test_match_prefix(void) {
 }
 
 static const char *test_remove_double_dots() {
-  struct { char before[20], after[20]; } data[] = {
+  struct { char before[30], after[30]; } data[] = {
     {"////a", "/a"},
-    {"/.....", "/."},
-    {"/......", "/"},
+    {"/.....", "/....."},
+    {"/......", "/......"},
     {"...", "..."},
-    {"/...///", "/./"},
+    {"/...///", "/.../"},
     {"/a...///", "/a.../"},
     {"/.x", "/.x"},
     {"/\\", "/"},
     {"/a\\", "/a\\"},
-    {"/a\\\\...", "/a\\."},
+    {"/a\\\\...", "/a\\..."},
+    {"foo/x..y/././y/../../..", "foo/x..y/y/"},
+    {"foo/..x", "foo/..x"},
   };
   size_t i;