From b1a847cf2ce2e489b05ed286224c286eb3003a44 Mon Sep 17 00:00:00 2001
From: LordMZTE <lord@mzte.de>
Date: Wed, 22 Mar 2023 18:39:04 +0100
Subject: [PATCH] fix: don't allow absolute paths (duh)

---
 src/routes.zig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes.zig b/src/routes.zig
index 7477d6c..dc64bf6 100644
--- a/src/routes.zig
+++ b/src/routes.zig
@@ -258,7 +258,7 @@ pub fn vidsRoute(
             const filepath = try std.fs.path.resolve(std.heap.c_allocator, &.{ state.vids_dir, basepath });
             defer std.heap.c_allocator.free(filepath);
 
-            if (std.mem.startsWith(u8, filepath, ".."))
+            if (std.fs.path.isAbsolute(filepath) or std.mem.startsWith(u8, filepath, ".."))
                 return c.OCS_FORBIDDEN;
 
             const filepath_z = try std.heap.c_allocator.dupeZ(u8, filepath);