Skip to content

fix(server): handle malformed URI in memory files middleware#22714

Merged
sapphi-red merged 1 commit into
mainfrom
shulaoda/06-19-fix_server_handle_malformed_uri_in_memory_files_middleware
Jun 19, 2026
Merged

fix(server): handle malformed URI in memory files middleware#22714
sapphi-red merged 1 commit into
mainfrom
shulaoda/06-19-fix_server_handle_malformed_uri_in_memory_files_middleware

Conversation

@shulaoda

@shulaoda shulaoda commented Jun 19, 2026

Copy link
Copy Markdown
Member

memoryFilesMiddleware (used in experimental.bundledDev full-bundle mode) decoded the request URL without guarding against malformed input.

Wrapped the decode in try/catch and return next() on failure, mirroring htmlFallback.ts.

@shulaoda shulaoda requested a review from sapphi-red June 19, 2026 11:28
@sapphi-red sapphi-red added p2-edge-case Bug, but has workaround or limited in scope (priority) feat: dev dev server labels Jun 19, 2026
@sapphi-red sapphi-red merged commit df9e0a5 into main Jun 19, 2026
22 of 24 checks passed
@sapphi-red sapphi-red deleted the shulaoda/06-19-fix_server_handle_malformed_uri_in_memory_files_middleware branch June 19, 2026 11:42
renovate Bot added a commit to andrei-picus-tink/auto-renovate that referenced this pull request Jun 24, 2026
| datasource | package | from   | to    |
| ---------- | ------- | ------ | ----- |
| npm        | vite    | 8.0.14 | 8.1.0 |


## [v8.1.0](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#810-2026-06-23)

##### Features

- extend `server.fs.deny` list with common files ([#22707](vitejs/vite#22707)) ([61ba8fd](vitejs/vite@61ba8fd))
- update rolldown to 1.1.2 ([#22695](vitejs/vite#22695)) ([4f008a6](vitejs/vite@4f008a6))
- use `~` for Rolldown ([#22693](vitejs/vite#22693)) ([9928722](vitejs/vite@9928722))

##### Bug Fixes

- **bundled-dev:** errors should be kept when incremental build fails ([#22617](vitejs/vite#22617)) ([9a0dd48](vitejs/vite@9a0dd48))
- cache falsy values in perEnvironmentState ([#22715](vitejs/vite#22715)) ([0e91e79](vitejs/vite@0e91e79))
- **glob:** respect caseSensitive option in hmr matcher ([#22711](vitejs/vite#22711)) ([65f525e](vitejs/vite@65f525e))
- **html:** omit nonce on import map when cspNonce is unset ([#22713](vitejs/vite#22713)) ([8340bb5](vitejs/vite@8340bb5))
- **optimizer:** skip null-valued exports in expandGlobIds glob resolution ([#22611](vitejs/vite#22611)) ([8b9f5cd](vitejs/vite@8b9f5cd))
- resolved build options should be kept as a getter ([#22691](vitejs/vite#22691)) ([3527191](vitejs/vite@3527191))
- **server:** handle malformed URI in memory files middleware ([#22714](vitejs/vite#22714)) ([df9e0a5](vitejs/vite@df9e0a5))
- use literal envPrefix queries for Vite Task ([#22706](vitejs/vite#22706)) ([da72733](vitejs/vite@da72733))
- warn on deprecated envFile ([#22555](vitejs/vite#22555)) ([ed7b283](vitejs/vite@ed7b283))

##### Code Refactoring

- **client:** inline dev-id value in CSS selector ([#22736](vitejs/vite#22736)) ([57f59bc](vitejs/vite@57f59bc))
- remove unused removeRawQuery util ([#22724](vitejs/vite#22724)) ([403cc60](vitejs/vite@403cc60))
- use `rolldownOptions` property for chunkImportMap ([#22692](vitejs/vite#22692)) ([8e8816c](vitejs/vite@8e8816c))


## [v8.0.16](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8016-2026-06-01-small)

##### Bug Fixes

- **deps:** reject UNC paths for launch-editor-middleware ([#22571](vitejs/vite#22571)) ([50b9512](vitejs/vite@50b9512))
- reject windows alternate paths ([#22572](vitejs/vite#22572)) ([dc245c7](vitejs/vite@dc245c7))


## [v8.0.15](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8015-2026-06-01-small)

##### Features

- send 408 on request timeout ([#22476](vitejs/vite#22476)) ([c85c9ee](vitejs/vite@c85c9ee))
- update rolldown to 1.0.3 ([#22538](vitejs/vite#22538)) ([646dbed](vitejs/vite@646dbed))

##### Bug Fixes

- capitalize error messages and remove spurious space in parse error ([#22488](vitejs/vite#22488)) ([85a0eff](vitejs/vite@85a0eff))
- **deps:** update all non-major dependencies ([#22511](vitejs/vite#22511)) ([2686d7d](vitejs/vite@2686d7d))
- **dev:** fix html-proxy cache key mismatch for /@fs/ HTML paths ([#21762](vitejs/vite#21762)) ([47c4213](vitejs/vite@47c4213))
- **glob:** error on relative glob in virtual module when no files match ([#22497](vitejs/vite#22497)) ([5c8e98f](vitejs/vite@5c8e98f))
- **optimizer:** close the rolldown bundle when write() rejects ([#22528](vitejs/vite#22528)) ([e3cfb9d](vitejs/vite@e3cfb9d))
- **resolve:** provide onWarn for viteResolvePlugin in JS plugin containers ([#22509](vitejs/vite#22509)) ([40985f1](vitejs/vite@40985f1))

##### Miscellaneous Chores

- **deps:** update rolldown-related dependencies ([#22566](vitejs/vite#22566)) ([3052a67](vitejs/vite@3052a67))

##### Code Refactoring

- correct logic in `collectAllModules` function ([#22562](vitejs/vite#22562)) ([6978a9c](vitejs/vite@6978a9c))
renovate Bot added a commit to andrei-picus-tink/auto-renovate that referenced this pull request Jun 24, 2026
| datasource | package | from   | to    |
| ---------- | ------- | ------ | ----- |
| npm        | vite    | 8.0.14 | 8.1.0 |


## [v8.1.0](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#810-2026-06-23)

##### Features

- extend `server.fs.deny` list with common files ([#22707](vitejs/vite#22707)) ([61ba8fd](vitejs/vite@61ba8fd))
- update rolldown to 1.1.2 ([#22695](vitejs/vite#22695)) ([4f008a6](vitejs/vite@4f008a6))
- use `~` for Rolldown ([#22693](vitejs/vite#22693)) ([9928722](vitejs/vite@9928722))

##### Bug Fixes

- **bundled-dev:** errors should be kept when incremental build fails ([#22617](vitejs/vite#22617)) ([9a0dd48](vitejs/vite@9a0dd48))
- cache falsy values in perEnvironmentState ([#22715](vitejs/vite#22715)) ([0e91e79](vitejs/vite@0e91e79))
- **glob:** respect caseSensitive option in hmr matcher ([#22711](vitejs/vite#22711)) ([65f525e](vitejs/vite@65f525e))
- **html:** omit nonce on import map when cspNonce is unset ([#22713](vitejs/vite#22713)) ([8340bb5](vitejs/vite@8340bb5))
- **optimizer:** skip null-valued exports in expandGlobIds glob resolution ([#22611](vitejs/vite#22611)) ([8b9f5cd](vitejs/vite@8b9f5cd))
- resolved build options should be kept as a getter ([#22691](vitejs/vite#22691)) ([3527191](vitejs/vite@3527191))
- **server:** handle malformed URI in memory files middleware ([#22714](vitejs/vite#22714)) ([df9e0a5](vitejs/vite@df9e0a5))
- use literal envPrefix queries for Vite Task ([#22706](vitejs/vite#22706)) ([da72733](vitejs/vite@da72733))
- warn on deprecated envFile ([#22555](vitejs/vite#22555)) ([ed7b283](vitejs/vite@ed7b283))

##### Code Refactoring

- **client:** inline dev-id value in CSS selector ([#22736](vitejs/vite#22736)) ([57f59bc](vitejs/vite@57f59bc))
- remove unused removeRawQuery util ([#22724](vitejs/vite#22724)) ([403cc60](vitejs/vite@403cc60))
- use `rolldownOptions` property for chunkImportMap ([#22692](vitejs/vite#22692)) ([8e8816c](vitejs/vite@8e8816c))


## [v8.0.16](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8016-2026-06-01-small)

##### Bug Fixes

- **deps:** reject UNC paths for launch-editor-middleware ([#22571](vitejs/vite#22571)) ([50b9512](vitejs/vite@50b9512))
- reject windows alternate paths ([#22572](vitejs/vite#22572)) ([dc245c7](vitejs/vite@dc245c7))


## [v8.0.15](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8015-2026-06-01-small)

##### Features

- send 408 on request timeout ([#22476](vitejs/vite#22476)) ([c85c9ee](vitejs/vite@c85c9ee))
- update rolldown to 1.0.3 ([#22538](vitejs/vite#22538)) ([646dbed](vitejs/vite@646dbed))

##### Bug Fixes

- capitalize error messages and remove spurious space in parse error ([#22488](vitejs/vite#22488)) ([85a0eff](vitejs/vite@85a0eff))
- **deps:** update all non-major dependencies ([#22511](vitejs/vite#22511)) ([2686d7d](vitejs/vite@2686d7d))
- **dev:** fix html-proxy cache key mismatch for /@fs/ HTML paths ([#21762](vitejs/vite#21762)) ([47c4213](vitejs/vite@47c4213))
- **glob:** error on relative glob in virtual module when no files match ([#22497](vitejs/vite#22497)) ([5c8e98f](vitejs/vite@5c8e98f))
- **optimizer:** close the rolldown bundle when write() rejects ([#22528](vitejs/vite#22528)) ([e3cfb9d](vitejs/vite@e3cfb9d))
- **resolve:** provide onWarn for viteResolvePlugin in JS plugin containers ([#22509](vitejs/vite#22509)) ([40985f1](vitejs/vite@40985f1))

##### Miscellaneous Chores

- **deps:** update rolldown-related dependencies ([#22566](vitejs/vite#22566)) ([3052a67](vitejs/vite@3052a67))

##### Code Refactoring

- correct logic in `collectAllModules` function ([#22562](vitejs/vite#22562)) ([6978a9c](vitejs/vite@6978a9c))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

feat: dev dev server p2-edge-case Bug, but has workaround or limited in scope (priority)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants