From 56258a4f1b2dcdd5e539794cad0a13341f6ccf10 Mon Sep 17 00:00:00 2001
From: Alex Shnitman <alexta69@gmail.com>
Date: Thu, 19 Feb 2026 09:32:23 +0200
Subject: [PATCH] disallow upward directory traversal in request-generated
 templates

---
 app/main.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/main.py b/app/main.py
index 65a4ea3..fe893d5 100644
--- a/app/main.py
+++ b/app/main.py
@@ -250,6 +250,8 @@ async def add(request):
 
     if custom_name_prefix is None:
         custom_name_prefix = ''
+    if custom_name_prefix and ('..' in custom_name_prefix or custom_name_prefix.startswith('/') or custom_name_prefix.startswith('\\')):
+        raise web.HTTPBadRequest(reason='custom_name_prefix must not contain ".." or start with a path separator')
     if auto_start is None:
         auto_start = True
     if playlist_item_limit is None:
@@ -258,6 +260,8 @@ async def add(request):
         split_by_chapters = False
     if chapter_template is None:
         chapter_template = config.OUTPUT_TEMPLATE_CHAPTER
+    if chapter_template and ('..' in chapter_template or chapter_template.startswith('/') or chapter_template.startswith('\\')):
+        raise web.HTTPBadRequest(reason='chapter_template must not contain ".." or start with a path separator')
 
     playlist_item_limit = int(playlist_item_limit)