From 30f3b831d31ec47e7d120bcd34194b7b69e6f716 Mon Sep 17 00:00:00 2001
From: Luca Casonato <lucacasonato@yahoo.com>
Date: Tue, 27 Oct 2020 11:48:45 +0100
Subject: fix: path traversal in std/http/file_server.ts (#8134)

---
 std/http/file_server.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'std/http/file_server.ts')

diff --git a/std/http/file_server.ts b/std/http/file_server.ts
index e4c8c4931..b75f9f9c1 100644
--- a/std/http/file_server.ts
+++ b/std/http/file_server.ts
@@ -322,14 +322,15 @@ function html(strings: TemplateStringsArray, ...values: unknown[]): string {
 }
 
 function normalizeURL(url: string): string {
-  let normalizedUrl = posix.normalize(url);
+  let normalizedUrl = url;
   try {
-    normalizedUrl = decodeURIComponent(normalizedUrl);
+    normalizedUrl = decodeURI(normalizedUrl);
   } catch (e) {
     if (!(e instanceof URIError)) {
       throw e;
     }
   }
+  normalizedUrl = posix.normalize(normalizedUrl);
   const startOfParams = normalizedUrl.indexOf("?");
   return startOfParams > -1
     ? normalizedUrl.slice(0, startOfParams)
-- 
cgit v1.2.3