-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: fs serve only edit pathname (fixes #9148) #9173
fix: fs serve only edit pathname (fixes #9148) #9173
Conversation
// restrict files outside of `fs.allow` | ||
if ( | ||
!ensureServingAccess( | ||
slash(path.resolve(fsPathFromId(url))), | ||
slash(path.resolve(fsPathFromId(pathname))), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A problem here is that vite allows direct access to files with ?
in the middle. See
// if we fould postfix exist, we should first try resolving file with postfix. details see #4703. |
So if we only check the pathname, we may not hit the correct entry in the safe list (
moduleGraph.safeModulesPath
). So looks like the full URL needs to be used for ensureServingAccess
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that that issue existed from before. sirv will only return /example
when the request URL is /example?file
.
So to fix this, IIUC we will need another middleware which does req.url = encodeURIComponent(decodeURI(req.url))
and calls sirv after that.
Description
I should have only encode/decode
pathname
and leave other parts as-is.#9148 was happening because
encodeURIComponent(decodeURIComponent('?'))
is%3F
.fixes #9148
refs #8804
Additional context
What is the purpose of this pull request?
Before submitting the PR, please make sure you do the following
fixes #123
).