From a4dee97300e22b550d6464ea75d9c1b3c278ab14 Mon Sep 17 00:00:00 2001 From: Jafar Akhondali <jafar.akhoondali@gmail.com> Date: Tue, 30 Jul 2024 19:42:07 +0200 Subject: [PATCH] Block malicious looking requests to prevent path traversal attacks. --- assets/js/lib/three/utils/servers/simplehttpserver.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/assets/js/lib/three/utils/servers/simplehttpserver.js b/assets/js/lib/three/utils/servers/simplehttpserver.js index 25af726..0f2b78b 100755 --- a/assets/js/lib/three/utils/servers/simplehttpserver.js +++ b/assets/js/lib/three/utils/servers/simplehttpserver.js @@ -23,6 +23,11 @@ var port = 8000, port = process.argv[2] ? parseInt(process.argv[2], 0) : port; function handleRequest(request, response) { + if (path.normalize(decodeURIComponent(urlObject.pathname)) !== decodeURIComponent(urlObject.pathname)) { + response.statusCode = 403; + response.end(); + return; + } var urlObject = urlParser.parse(request.url, true); var pathname = decodeURIComponent(urlObject.pathname);