dubyte / dir2opds

Serve an OPDS based on a directory
GNU General Public License v3.0
63 stars 12 forks source link

fix: http trasversal vulnerability #18

Closed dubyte closed 8 months ago

dubyte commented 8 months ago

To fix this, I use the dir parameter, for example: './book,' then go to the absolute + canonical path of it. This value will become the trusted root patch, so later, I can use it to compare if it is the root of any request. If it is not, then it is violating.

dubyte commented 8 months ago

This fix: https://github.com/dubyte/dir2opds/issues/17