From 292fa22303f265a153547799284e592fe473baef Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 18:55:30 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 .../mrdoob/three.js@r73/utils/servers/simplehttpserver.js   | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/jspm_packages/github/mrdoob/three.js@r73/utils/servers/simplehttpserver.js b/jspm_packages/github/mrdoob/three.js@r73/utils/servers/simplehttpserver.js
index 25af726..edf53f3 100644
--- a/jspm_packages/github/mrdoob/three.js@r73/utils/servers/simplehttpserver.js
+++ b/jspm_packages/github/mrdoob/three.js@r73/utils/servers/simplehttpserver.js
@@ -23,6 +23,12 @@ var port = 8000,
 port = process.argv[2] ? parseInt(process.argv[2], 0) : port;
 
 function handleRequest(request, response) {
+    if (path.normalize(decodeURIComponent(urlObject.pathname)) !== decodeURIComponent(urlObject.pathname)) {
+        response.statusCode = 403;
+        response.end();
+        return;
+    }
+    
 
 	var urlObject = urlParser.parse(request.url, true);
 	var pathname = decodeURIComponent(urlObject.pathname);