forbid access to server-bundle.json in production (#916)

This commit is contained in:
Pooya Parsa 2017-06-18 12:48:45 +04:30
parent 6146de34f8
commit fa9bc9445b

View File

@ -180,6 +180,11 @@ export default class Renderer extends Tapable {
if (!this.options.dev && req.url.indexOf(this.options.build.publicPath) === 0) {
const url = req.url
req.url = req.url.replace(this.options.build.publicPath, '/')
// Forbid access to sensitive data (#916)
if (req.url.includes('server-bundle.json')) {
res.statusCode = 404
return res.end()
}
await this.serveStaticNuxt(req, res)
/* istanbul ignore next */
req.url = url