From 03ee338f15f4a97313319b9363957d1789aaeea7 Mon Sep 17 00:00:00 2001
From: marcobaobao <marco.piovanello@gmail.com>
Date: Tue, 17 Sep 2024 10:00:57 +0200
Subject: [PATCH] better filename guards

closes #195
---
 server/handlers/archive.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/handlers/archive.go b/server/handlers/archive.go
index d77db4f..d8114a7 100644
--- a/server/handlers/archive.go
+++ b/server/handlers/archive.go
@@ -158,7 +158,7 @@ func SendFile(w http.ResponseWriter, r *http.Request) {
 
 	root := config.Instance().DownloadPath
 
-	if strings.Contains(filepath.Dir(filename), root) {
+	if strings.Contains(filepath.Dir(filepath.Clean(filename)), filepath.Clean(root)) {
 		http.ServeFile(w, r, filename)
 		return
 	}
@@ -190,7 +190,7 @@ func DownloadFile(w http.ResponseWriter, r *http.Request) {
 
 	root := config.Instance().DownloadPath
 
-	if strings.Contains(filepath.Dir(filename), root) {
+	if strings.Contains(filepath.Dir(filepath.Clean(filename)), filepath.Clean(root)) {
 		w.Header().Add("Content-Disposition", "inline; filename=\""+filepath.Base(filename)+"\"")
 		w.Header().Set("Content-Type", "application/octet-stream")