From ab3913a429c4fed65c135ce976415cc88b5383c9 Mon Sep 17 00:00:00 2001
From: Fabian Jakobs <fabian@c9.io>
Date: Tue, 12 Apr 2016 10:26:51 +0000
Subject: [PATCH] decodeURIComponent can throw

fixes https://github.com/c9/newclient/issues/13386
---
 plugins/c9.preview/lib/middleware/sanitize-path-param.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/plugins/c9.preview/lib/middleware/sanitize-path-param.js b/plugins/c9.preview/lib/middleware/sanitize-path-param.js
index f3cf8782..038c17f7 100644
--- a/plugins/c9.preview/lib/middleware/sanitize-path-param.js
+++ b/plugins/c9.preview/lib/middleware/sanitize-path-param.js
@@ -1,9 +1,16 @@
 "use strict";
 
 var Path = require("path");
+var error = require("http-error");
 
 module.exports = function sanitzePreviewPath(req, res, next) {
-    var normalized = Path.normalize(decodeURIComponent(req.params.path));
+    
+    var normalized;
+    try {
+        normalized = Path.normalize(decodeURIComponent(req.params.path));
+    } catch(e) {
+        return next(new error.BadRequest("URI malformed"));
+    }
 
     // N.B. Path.normalize does not strip away when the path starts with "../"
     if (normalized)