fix: don't allow absolute paths (duh)

2023-03-22 18:39:04 +01:00 · 2023-03-22 18:39:04 +01:00 · b1a847cf2c
parent 8629c93766
commit b1a847cf2c
1 changed files with 1 additions and 1 deletions
--- a/src/routes.zig
+++ b/src/routes.zig
@ -258,7 +258,7 @@ pub fn vidsRoute(
            const filepath = try std.fs.path.resolve(std.heap.c_allocator, &.{ state.vids_dir, basepath });
            defer std.heap.c_allocator.free(filepath);

-            if (std.mem.startsWith(u8, filepath, ".."))
+            if (std.fs.path.isAbsolute(filepath) or std.mem.startsWith(u8, filepath, ".."))
                return c.OCS_FORBIDDEN;

            const filepath_z = try std.heap.c_allocator.dupeZ(u8, filepath);