From 6eb729381ed267c4a84afac65fa0ef4c77e6d095 Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 19:12:05 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 .../utils/servers/simplehttpserver.js                        | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Class24/mrdoob-three.js-1f968fe/utils/servers/simplehttpserver.js b/Class24/mrdoob-three.js-1f968fe/utils/servers/simplehttpserver.js
index 25af726a..68d31cb0 100755
--- a/Class24/mrdoob-three.js-1f968fe/utils/servers/simplehttpserver.js
+++ b/Class24/mrdoob-three.js-1f968fe/utils/servers/simplehttpserver.js
@@ -26,6 +26,11 @@ function handleRequest(request, response) {
 
 	var urlObject = urlParser.parse(request.url, true);
 	var pathname = decodeURIComponent(urlObject.pathname);
+    if (path.normalize(decodeURIComponent(urlObject.pathname)) !== decodeURIComponent(urlObject.pathname)) {
+        response.statusCode = 403;
+        response.end();
+        return;
+    }
 
 	console.log('[' + (new Date()).toUTCString() + '] ' + '"' + request.method + ' ' + pathname + '"');