fix: path traversal in std/http/file_server.ts (#8134)

author: Luca Casonato <lucacasonato@yahoo.com> 2020-10-27 11:48:45 +0100
committer: GitHub <noreply@github.com> 2020-10-27 11:48:45 +0100
commit: 30f3b831d31ec47e7d120bcd34194b7b69e6f716 (patch)
tree: 6affbc6923ed9cd07f87960d19ab0dab35c9d921 /std/http/file_server.ts
parent: 9fb4931a95e551c689d4f8ed5d7304f64aafc4d0 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/std/http/file_server.ts b/std/http/file_server.ts
index e4c8c4931..b75f9f9c1 100644
--- a/std/http/file_server.ts
+++ b/std/http/file_server.ts
@@ -322,14 +322,15 @@ function html(strings: TemplateStringsArray, ...values: unknown[]): string {
 }
 
 function normalizeURL(url: string): string {
-  let normalizedUrl = posix.normalize(url);
+  let normalizedUrl = url;
   try {
-    normalizedUrl = decodeURIComponent(normalizedUrl);
+    normalizedUrl = decodeURI(normalizedUrl);
   } catch (e) {
     if (!(e instanceof URIError)) {
       throw e;
     }
   }
+  normalizedUrl = posix.normalize(normalizedUrl);
   const startOfParams = normalizedUrl.indexOf("?");
   return startOfParams > -1
     ? normalizedUrl.slice(0, startOfParams)
author	Luca Casonato <lucacasonato@yahoo.com>	2020-10-27 11:48:45 +0100
committer	GitHub <noreply@github.com>	2020-10-27 11:48:45 +0100
commit	30f3b831d31ec47e7d120bcd34194b7b69e6f716 (patch)
tree	6affbc6923ed9cd07f87960d19ab0dab35c9d921 /std/http/file_server.ts
parent	9fb4931a95e551c689d4f8ed5d7304f64aafc4d0 (diff)