Fix static file path handling for security

Use REQUEST_URI and parse_url to properly handle paths Prevent directory traversal with stricter sanitization
2025-10-02 17:19:15 +02:00 · 2025-10-02 17:19:15 +02:00 · 19bb105303
commit 19bb105303
parent 2994f7cf6d
1 changed files with 2 additions and 1 deletions
--- a/app/static.php
+++ b/app/static.php
@ -1,6 +1,7 @@
 <?php
 // Serve static files from /app directory
-$file = $_GET['file'] ?? '';
+$requestUri = $_SERVER['REQUEST_URI'];
+$file = preg_replace('#^/app/#', '', parse_url($requestUri, PHP_URL_PATH));
 $file = str_replace(['../', '..\\'], '', $file); // Prevent directory traversal

 // Map request paths to actual file paths