From 63ffe9043170fbed8a5d260decfdc05e4440a555 Mon Sep 17 00:00:00 2001
From: Conduitry <git@chor.date>
Date: Fri, 20 Mar 2020 07:56:59 -0400
Subject: [PATCH] fix vulnerability when serving /client/... files

---
 runtime/src/server/middleware/index.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/runtime/src/server/middleware/index.ts b/runtime/src/server/middleware/index.ts
index f7bbea4ff..d8cbd9879 100644
--- a/runtime/src/server/middleware/index.ts
+++ b/runtime/src/server/middleware/index.ts
@@ -106,15 +106,15 @@ export function serve({ prefix, pathname, cache_control }: {
 	const cache: Map<string, Buffer> = new Map();
 
 	const read = dev
-		? (file: string) => fs.readFileSync(path.resolve(build_dir, file))
-		: (file: string) => (cache.has(file) ? cache : cache.set(file, fs.readFileSync(path.resolve(build_dir, file)))).get(file)
+		? (file: string) => fs.readFileSync(path.join(build_dir, file))
+		: (file: string) => (cache.has(file) ? cache : cache.set(file, fs.readFileSync(path.join(build_dir, file)))).get(file)
 
 	return (req: Req, res: Res, next: () => void) => {
 		if (filter(req)) {
 			const type = lookup(req.path);
 
 			try {
-				const file = decodeURIComponent(req.path.slice(1));
+				const file = path.posix.normalize(decodeURIComponent(req.path));
 				const data = read(file);
 
 				res.setHeader('Content-Type', type);