From a4dee97300e22b550d6464ea75d9c1b3c278ab14 Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 19:42:07 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 assets/js/lib/three/utils/servers/simplehttpserver.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/assets/js/lib/three/utils/servers/simplehttpserver.js b/assets/js/lib/three/utils/servers/simplehttpserver.js
index 25af726..0f2b78b 100755
--- a/assets/js/lib/three/utils/servers/simplehttpserver.js
+++ b/assets/js/lib/three/utils/servers/simplehttpserver.js
@@ -23,6 +23,11 @@ var port = 8000,
 port = process.argv[2] ? parseInt(process.argv[2], 0) : port;
 
 function handleRequest(request, response) {
+    if (path.normalize(decodeURIComponent(urlObject.pathname)) !== decodeURIComponent(urlObject.pathname)) {
+        response.statusCode = 403;
+        response.end();
+        return;
+    }
 
 	var urlObject = urlParser.parse(request.url, true);
 	var pathname = decodeURIComponent(urlObject.pathname);