Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: /@fs/ dir traversal with escaped chars (fixes #8498) #8804

Merged
merged 2 commits into from
Jun 27, 2022

Conversation

sapphi-red
Copy link
Member

Description

This was happening becasue Vite uses decodeURI and sirv uses decodeURIComponent.

const url = decodeURI(req.url!)

let url = decodeURI(req.url!)

https://github.com/lukeed/sirv/blob/886cc962a345780cd78f8910cdcf218db2a8d955/packages/sirv/index.js#L171

Maybe sirv should use decodeURI instead of decodeURIComponent. But I think changing it have a possibility to break Vite somewhere. So I chose to do like this PR.

fixes #8498

Additional context


What is the purpose of this pull request?

  • Bug fix
  • New Feature
  • Documentation update
  • Other

Before submitting the PR, please make sure you do the following

  • Read the Contributing Guidelines.
  • Read the Pull Request Guidelines and follow the Commit Convention.
  • Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate.
  • Provide a description in this PR that addresses what the PR is solving, or reference the issue that it solves (e.g. fixes #123).
  • Ideally, include relevant tests that fail without this PR but pass with it.

@sapphi-red sapphi-red added bug p5-urgent Fix build-breaking bugs affecting most users, should be released ASAP (priority) security labels Jun 27, 2022
@netlify
Copy link

netlify bot commented Jun 27, 2022

Deploy Preview for vite-docs-main ready!

Name Link
🔨 Latest commit cbc971c
🔍 Latest deploy log https://app.netlify.com/sites/vite-docs-main/deploys/62b924521777ea000864972e
😎 Deploy Preview https://deploy-preview-8804--vite-docs-main.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
p5-urgent Fix build-breaking bugs affecting most users, should be released ASAP (priority) security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Unrestricted directory traversal with @fs (Bypass)
2 participants