Fix LFI bug

Previously we blindly read whatever path the client provided and if the
user could read the file it would return from the call.

src/main.rs

@@ -203,7 +203,11 @@ async fn stream_video(
     let playlist = &path.path;
     println!("Playlist: {}", playlist);
 
-    if let Ok(file) = NamedFile::open(playlist) {
+    // Extract video playlist dir to dotenv
+    if !playlist.starts_with("tmp") || playlist.contains("..") {
+        HttpResponse::NotFound().finish()
+    }
+    else if let Ok(file) = NamedFile::open(playlist) {
         file.into_response(&request).unwrap()
     } else {
         HttpResponse::NotFound().finish()