This repository has been archived on 2026-03-10. You can view files and clone it. You cannot open issues or pull requests or push a commit.

Torjus Håkestad f0adc9efbe security: improve path validation in get_file handler ...

The previous check only looked for ".." substring, which missed:
- Absolute paths (/etc/passwd)
- URL-encoded traversal patterns
- Paths that clean to traversal (./../../etc)

Now uses filepath.Clean() and filepath.IsAbs() for robust validation:
- Rejects absolute paths
- Cleans paths before checking for traversal
- Uses cleaned path for database lookup

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-02-03 19:12:25 +01:00

11 KiB

Raw Blame History

View Raw