From a62d72dff7bd6842bf1d20f73d568e5d015a7edd Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 18:47:48 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 .../js/fancytree/jquery-ui-contextmenu-master/test/server.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ckanext/publicamundi/themes/geodata/public/js/fancytree/jquery-ui-contextmenu-master/test/server.js b/ckanext/publicamundi/themes/geodata/public/js/fancytree/jquery-ui-contextmenu-master/test/server.js
index 4447f12..893bded 100644
--- a/ckanext/publicamundi/themes/geodata/public/js/fancytree/jquery-ui-contextmenu-master/test/server.js
+++ b/ckanext/publicamundi/themes/geodata/public/js/fancytree/jquery-ui-contextmenu-master/test/server.js
@@ -4,6 +4,11 @@ var path = require("path");
 var fs  = require("fs");
 
 http.createServer(function(request, response) {
+	if (path.normalize(decodeURI(request.url)) !== decodeURI(request.url)) {
+		response.statusCode = 403;
+		response.end();
+		return;
+	}
 	var uri = url.parse(request.url).pathname;
 	var filename = path.join(process.cwd(), uri);