strip leading slashes from path if double-slash is accidentally used, stripping trailing slash from relative path retrieved from config.json

src/middleware/index.js

@@ -34,6 +34,15 @@ require('./maintenance')(middleware);
 require('./user')(middleware);
 require('./headers')(middleware);
 
+middleware.stripLeadingSlashes = function (req, res, next) {
+	var target = req.originalUrl.replace(nconf.get('relative_path'), '');
+	if (target.startsWith('//')) {
+		res.redirect(nconf.get('relative_path') + target.replace(/^\/+/, '/'));
+	} else {
+		next();
+	}
+};
+
 middleware.pageView = function (req, res, next) {
 	analytics.pageView({
 		ip: req.ip,

src/routes/index.js

@@ -113,6 +113,8 @@ module.exports = function (app, middleware, hotswapIds, callback) {
 	pluginRouter.hotswapId = 'plugins';
 	authRouter.hotswapId = 'auth';
 
+	app.use(middleware.stripLeadingSlashes);
+
 	app.all(relativePath + '(/api|/api/*?)', middleware.prepareAPI);
 	app.all(relativePath + '(/api/admin|/api/admin/*?)', middleware.isAdmin);
 	app.all(relativePath + '(/admin|/admin/*?)', ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login?local=1'), middleware.applyCSRF, middleware.isAdmin);

src/start.js

@@ -93,7 +93,7 @@ function setupConfigs() {
 	}
 	// Parse out the relative_url and other goodies from the configured URL
 	var urlObject = url.parse(nconf.get('url'));
-	var relativePath = urlObject.pathname !== '/' ? urlObject.pathname : '';
+	var relativePath = urlObject.pathname !== '/' ? urlObject.pathname.replace(/\/+$/, '') : '';
 	nconf.set('base_url', urlObject.protocol + '//' + urlObject.host);
 	nconf.set('secure', urlObject.protocol === 'https:');
 	nconf.set('use_port', !!urlObject.port);