From 2c8a11be8f3305652f54ff6dd58ec51275658c54 Mon Sep 17 00:00:00 2001
From: Samuel Johnson <sjohnson1149@proton.me>
Date: Tue, 25 Nov 2025 21:26:29 -0500
Subject: Prevent file loader from reading outside dir

---
 cmd/web/handlers/fs.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'cmd')

diff --git a/cmd/web/handlers/fs.go b/cmd/web/handlers/fs.go
index 1a68e35..8a10409 100644
--- a/cmd/web/handlers/fs.go
+++ b/cmd/web/handlers/fs.go
@@ -34,7 +34,14 @@ func (ctx *fsContext) readdir(w http.ResponseWriter, r *http.Request) {
 func (ctx *fsContext) get(w http.ResponseWriter, r *http.Request) {
 	name := r.URL.Query().Get("file")
 
-	file, err := os.ReadFile(ctx.path + "/" + name)
+	root, err := os.OpenRoot(ctx.path)
+	if err != nil {
+		ctx.err.Printf("Could not create root: %v\n", err)
+		http.Error(w, "Internal Server Error", 500)
+		return
+	}
+
+	file, err := root.ReadFile(name)
 	if err != nil {
 		ctx.err.Print(err.Error())
 		http.Error(w, "Internal Server Error", 500)
-- 
cgit v1.2.3