Fix 8688ggu00 (2)

packages/backend/src/util/pathutil.js

@@ -32,17 +32,18 @@ class PathBuilder extends AdvancedBase {
     }
     
     add (fragment, options) {
+        const require = this.require;
+        const node_path = require('path');
+
         options = options || {};
         if ( ! options.allow_traversal ) {
-            fragment = fragment.replace(/(\.\.\/|\.\.\\)/g, '');
+            fragment = node_path.normalize(fragment);
+            fragment = fragment.replace(/(\.+\/|\.+\\)/g, '');
             if ( fragment === '..' ) {
                 fragment = '';
             }
         }
 
-        const require = this.require;
-        const node_path = require('path');
-
         this.path_ = this.path_
             ? node_path.join(this.path_, fragment)
             : fragment;

src/IPC.js

@@ -1016,7 +1016,8 @@ window.addEventListener('message', async (event) => {
         let create_missing_ancestors = false;
 
         console.warn(`The method ${event.data.msg} is deprecated - see docs.puter.com for more information.`);
-        event.data.filename = event.data.filename.replace(/(\.\.\/|\.\.\\)/g, '');
+        event.data.filename = path.normalize(event.data.filename)
+            .replace(/(\.+\/|\.+\\)/g, '');
 
         if(event.data.msg === 'saveToPictures')
             target_path = path.join(window.pictures_path, event.data.filename);