From d2f7423c6c13190310403f8ca65a54b1b9a5ac71 Mon Sep 17 00:00:00 2001
From: Cameron Cordes <cameronc.dev@gmail.com>
Date: Tue, 15 Sep 2020 16:35:05 -0400
Subject: [PATCH] Fix LFI bug

Previously we blindly read whatever path the client provided and if the
user could read the file it would return from the call.
---
 src/main.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/main.rs b/src/main.rs
index 8fdf50c..ef9aa7a 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -203,7 +203,11 @@ async fn stream_video(
     let playlist = &path.path;
     println!("Playlist: {}", playlist);
 
-    if let Ok(file) = NamedFile::open(playlist) {
+    // Extract video playlist dir to dotenv
+    if !playlist.starts_with("tmp") || playlist.contains("..") {
+        HttpResponse::NotFound().finish()
+    }
+    else if let Ok(file) = NamedFile::open(playlist) {
         file.into_response(&request).unwrap()
     } else {
         HttpResponse::NotFound().finish()