From 568a0146b46f5cbaa52b3509f757b23364471197 Mon Sep 17 00:00:00 2001
From: Rom <github.com@brillout.com>
Date: Fri, 23 Dec 2022 06:13:55 +0100
Subject: [PATCH] fix: stop considering parent URLs as public file (#11145)

---
 packages/vite/src/node/plugins/asset.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/packages/vite/src/node/plugins/asset.ts b/packages/vite/src/node/plugins/asset.ts
index 954d50e936862d..d2dcb607a1b630 100644
--- a/packages/vite/src/node/plugins/asset.ts
+++ b/packages/vite/src/node/plugins/asset.ts
@@ -210,6 +210,10 @@ export function checkPublicFile(
     return
   }
   const publicFile = path.join(publicDir, cleanUrl(url))
+  if (!publicFile.startsWith(publicDir)) {
+    // can happen if URL starts with '../'
+    return
+  }
   if (fs.existsSync(publicFile)) {
     return publicFile
   } else {