From 034882c0e5c7aab283a620ebea4c2fce66f208be Mon Sep 17 00:00:00 2001
From: jabuxas <jabuxas@proton.me>
Date: Mon, 10 Feb 2025 16:41:29 -0300
Subject: [PATCH] fix: being able to access a file if someone knows
 app.filesDir

---
 handlers.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/handlers.go b/handlers.go
index ae50a29..48434ae 100644
--- a/handlers.go
+++ b/handlers.go
@@ -110,7 +110,7 @@ func (app *Application) indexHandler(w http.ResponseWriter, r *http.Request) {
 	name := filepath.Base(r.URL.Path)
 	realPath := filepath.Join(app.filesDir, name)
 
-	if !filepath.IsLocal(realPath) {
+	if !filepath.IsLocal(realPath) || strings.Contains(r.URL.Path, filepath.Clean(app.filesDir)) {
 		http.Error(w, "Wrong url", http.StatusBadRequest)
 		return
 	}