Skip to content

Commit 35942cd

Browse files
authored
fix: don't resolve URL starting with double slash (#19059)
1 parent ea53e70 commit 35942cd

File tree

2 files changed

+8
-5
lines changed

2 files changed

+8
-5
lines changed

packages/vite/src/node/server/middlewares/static.ts

+7-4
Original file line numberDiff line numberDiff line change
@@ -119,12 +119,15 @@ export function serveStaticMiddleware(
119119
if (
120120
cleanedUrl[cleanedUrl.length - 1] === '/' ||
121121
path.extname(cleanedUrl) === '.html' ||
122-
isInternalRequest(req.url!)
122+
isInternalRequest(req.url!) ||
123+
// skip url starting with // as these will be interpreted as
124+
// scheme relative URLs by new URL() and will not be a valid file path
125+
req.url?.startsWith('//')
123126
) {
124127
return next()
125128
}
126129

127-
const url = new URL(req.url!.replace(/^\/{2,}/, '/'), 'http://example.com')
130+
const url = new URL(req.url!, 'http://example.com')
128131
const pathname = decodeURI(url.pathname)
129132

130133
// apply aliases to static requests as well
@@ -177,12 +180,12 @@ export function serveRawFsMiddleware(
177180

178181
// Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
179182
return function viteServeRawFsMiddleware(req, res, next) {
180-
const url = new URL(req.url!.replace(/^\/{2,}/, '/'), 'http://example.com')
181183
// In some cases (e.g. linked monorepos) files outside of root will
182184
// reference assets that are also out of served root. In such cases
183185
// the paths are rewritten to `/@fs/` prefixed paths and must be served by
184186
// searching based from fs root.
185-
if (url.pathname.startsWith(FS_PREFIX)) {
187+
if (req.url!.startsWith(FS_PREFIX)) {
188+
const url = new URL(req.url!, 'http://example.com')
186189
const pathname = decodeURI(url.pathname)
187190
// restrict files outside of `fs.allow`
188191
if (

playground/assets-sanitize/__tests__/assets-sanitize.spec.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -28,5 +28,5 @@ if (!isBuild) {
2828

2929
test.runIf(!isBuild)('denied .env', async () => {
3030
expect(await page.textContent('.unsafe-dotenv')).toBe('403')
31-
expect(await page.textContent('.unsafe-dotenv-double-slash')).toBe('403')
31+
expect(await page.textContent('.unsafe-dotenv-double-slash')).toBe('200') // SPA fallback
3232
})

0 commit comments

Comments
 (0)