From dc910868027a7ff979d9ba37b712ab10cf99dadf Mon Sep 17 00:00:00 2001 From: patak Date: Fri, 26 May 2023 12:54:49 +0200 Subject: [PATCH] fix: port #13348 to v2, fs.deny with leading double slash --- packages/vite/src/node/server/middlewares/static.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts index 4ffd4e000dd42b..7672cb8506d0b9 100644 --- a/packages/vite/src/node/server/middlewares/static.ts +++ b/packages/vite/src/node/server/middlewares/static.ts @@ -78,7 +78,7 @@ export function serveStaticMiddleware( return next() } - const url = new URL(req.url!, 'http://example.com') + const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com') const pathname = decodeURIComponent(url.pathname) // apply aliases to static requests as well @@ -125,7 +125,7 @@ export function serveRawFsMiddleware( // Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...` return function viteServeRawFsMiddleware(req, res, next) { - const url = new URL(req.url!, 'http://example.com') + const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com') // In some cases (e.g. linked monorepos) files outside of root will // reference assets that are also out of served root. In such cases // the paths are rewritten to `/@fs/` prefixed paths and must be served by