Backport redirect vuln fix

jfhbrook · May 3, 2019 · 4e2a944 · 4e2a944
1 parent f5a173d
commit 4e2a944
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/lib/ecstatic.js b/lib/ecstatic.js
@@ -144,7 +144,7 @@ var ecstatic = module.exports = function (dir, options) {
           }
 
           // 302 to / if necessary
-          if (!parsed.pathname.match(/\/$/)) {
+          if (!pathname.match(/\/$/)) {
             res.statusCode = 302;
             res.setHeader('location', parsed.pathname + '/' +
               (parsed.query? ('?' + parsed.query):'')
@@ -384,15 +384,15 @@ function shouldCompress(req) {
 function decodePathname(pathname) {
   var pieces = pathname.replace(/\\/g,"/").split('/');
 
-  return pieces.map(function (piece) {
+  return path.normalize(pieces.map(function (piece) {
     piece = decodeURIComponent(piece);
 
     if (process.platform === 'win32' && /\\/.test(piece)) {
       throw new Error('Invalid forward slash character');
     }
 
     return piece;
-  }).join('/');
+  }).join('/'));
 }
 
 if (!module.parent) {