From f7232b61e6ae6e09be90b8aef1c234e0d85199f2 Mon Sep 17 00:00:00 2001
From: multipleof4 <planetrenox@protonmail.com>
Date: Tue, 17 Feb 2026 19:51:50 -0800
Subject: [PATCH] Fix: Reject literal dots and slashes in pathname

---
 functions/[[path]].js | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/functions/[[path]].js b/functions/[[path]].js
index 92fa689..ebb5cad 100644
--- a/functions/[[path]].js
+++ b/functions/[[path]].js
@@ -8,17 +8,19 @@ export async function onRequest(context) {
     return env.ASSETS.fetch(request);
   }
 
+  // Reject literal dots and slashes (bot probes like info.php or wp-admin/setup-config.php)
+  // We check the raw pathname (excluding leading slash and trailing slashes) to allow encoded dots (%2E) and slashes (%2F)
+  const rawQueryPart = url.pathname.slice(1).replace(/\/+$/, "");
+  if (rawQueryPart.includes(".") || rawQueryPart.includes("/")) {
+    const badReq = new Request(new URL("/bad.webp", url.origin));
+    return env.ASSETS.fetch(badReq);
+  }
+
   const query = normalizeQuery(path);
   if (!query) {
     return jsonResponse(400, { error: "Empty query" });
   }
 
-  // Reject queries containing slashes (bot probes like wp-admin/setup-config.php)
-  if (query.includes("/")) {
-    const badReq = new Request(new URL("/bad.webp", url.origin));
-    return env.ASSETS.fetch(badReq);
-  }
-
   // Max query length: 200 chars after normalization
   if (query.length > 200) {
     return jsonResponse(400, { error: "Query too long (max 200 characters)" });