vitejs
diff --git a/‎packages/playground/fs-serve/__tests__/deny/fs-serve-deny.spec.ts
Lines changed: 22 additions & 0 deletions b/‎packages/playground/fs-serve/__tests__/deny/fs-serve-deny.spec.ts
Lines changed: 22 additions & 0 deletions
diff --git a/‎packages/playground/fs-serve/__tests__/deny/vite.config.js
Lines changed: 1 addition & 0 deletions b/‎packages/playground/fs-serve/__tests__/deny/vite.config.js
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/playground/fs-serve/package.json
Lines changed: 4 additions & 1 deletion b/‎packages/playground/fs-serve/package.json
Lines changed: 4 additions & 1 deletion
diff --git a/‎packages/playground/fs-serve/root/src/deny/.deny
Lines changed: 1 addition & 0 deletions b/‎packages/playground/fs-serve/root/src/deny/.deny
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/playground/fs-serve/root/src/deny/deny.txt
Lines changed: 1 addition & 0 deletions b/‎packages/playground/fs-serve/root/src/deny/deny.txt
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/playground/fs-serve/root/vite.config-deny.js
Lines changed: 15 additions & 0 deletions b/‎packages/playground/fs-serve/root/vite.config-deny.js
Lines changed: 15 additions & 0 deletions
diff --git a/‎packages/vite/src/node/server/middlewares/static.ts
Lines changed: 9 additions & 3 deletions b/‎packages/vite/src/node/server/middlewares/static.ts
Lines changed: 9 additions & 3 deletions
@@ -0,0 +1,22 @@
+import { isBuild } from '../../../testUtils'
+
+describe('main', () => {
+  if (!isBuild) {
+    test('**/deny/** should deny src/deny/deny.txt', async () => {
+      const res = await page.request.fetch(
+        new URL('/src/deny/deny.txt', viteTestUrl).href
+      )
+      expect(res.status()).toBe(403)
+    })
+    test('**/deny/** should deny src/deny/.deny', async () => {
+      const res = await page.request.fetch(
+        new URL('/src/deny/.deny', viteTestUrl).href
+      )
+      expect(res.status()).toBe(403)
+    })
+  } else {
+    test('dummy test to make jest happy', async () => {
+      // Your test suite must contain at least one test.
+    })
+  }
+})
@@ -0,0 +1 @@
+module.exports = require('../../root/vite.config-deny')
@@ -6,6 +6,9 @@
     "dev": "vite root",
     "build": "vite build root",
     "debug": "node --inspect-brk ../../vite/bin/vite",
-    "preview": "vite preview"
+    "preview": "vite preview",
+    "dev:deny": "vite root --config ./root/vite.config-deny.js",
+    "build:deny": "vite build root --config ./root/vite.config-deny.js",
+    "preview:deny": "vite preview root --config ./root/vite.config-deny.js"
   }
 }
@@ -0,0 +1 @@
+.deny
@@ -0,0 +1 @@
+deny
@@ -0,0 +1,15 @@
+const path = require('path')
+const { defineConfig } = require('vite')
+
+module.exports = defineConfig({
+  server: {
+    fs: {
+      strict: true,
+      allow: [path.resolve(__dirname, 'src')],
+      deny: ['**/deny/**']
+    }
+  },
+  define: {
+    ROOT: JSON.stringify(path.dirname(__dirname).replace(/\\/g, '/'))
+  }
+})
@@ -156,7 +156,11 @@ export function serveRawFsMiddleware(
   }
 }
 
-const _matchOptions = { matchBase: true, nocase: true }
+const _matchOptions = {
+  matchBase: false,
+  nocase: true,
+  dot: true
+}
 
 export function isFileServingAllowed(
   url: string,
@@ -166,8 +170,10 @@ export function isFileServingAllowed(
 
   const file = fsPathFromUrl(url)
 
-  if (server.config.server.fs.deny.some((i) => isMatch(file, i, _matchOptions)))
-    return false
+  const deny = server.config.server.fs.deny.map((pattern) =>
+    pattern.includes('/') ? pattern : `**/${pattern}`
+  )
+  if (deny.some((i) => isMatch(file, i, _matchOptions))) return false
 
   if (server.moduleGraph.safeModulesPath.has(file)) return true
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+module.exports = require('../../root/vite.config-deny')`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,9 @@`
`6`	`6`	`"dev": "vite root",`
`7`	`7`	`"build": "vite build root",`
`8`	`8`	`"debug": "node --inspect-brk ../../vite/bin/vite",`
`9`		`- "preview": "vite preview"`
	`9`	`+ "preview": "vite preview",`
	`10`	`+ "dev:deny": "vite root --config ./root/vite.config-deny.js",`
	`11`	`+ "build:deny": "vite build root --config ./root/vite.config-deny.js",`
	`12`	`+ "preview:deny": "vite preview root --config ./root/vite.config-deny.js"`
`10`	`13`	`}`
`11`	`14`	`}`