fix: restrict /preview to image extensions only

2026-04-07 13:47:36 +02:00
parent 8b50a85620
commit ccf878485d
1 changed files with 6 additions and 1 deletions
--- a/server.py
+++ b/server.py
@@ -44,11 +44,16 @@ def serve_frontend():
    return FileResponse("index.html")


+PREVIEW_ALLOWED_EXTENSIONS = {".jpg", ".jpeg", ".png"}
+
+
@app.get("/preview")
 def preview(path: str):
+    ext = os.path.splitext(path)[1].lower()
+    if ext not in PREVIEW_ALLOWED_EXTENSIONS:
+        raise HTTPException(status_code=403, detail="Dateityp nicht erlaubt")
    if not os.path.isfile(path):
        raise HTTPException(status_code=404, detail="Datei nicht gefunden")
-    ext = os.path.splitext(path)[1].lower()
    media = "image/jpeg" if ext in (".jpg", ".jpeg") else "image/png"
    with open(path, "rb") as f:
        return Response(content=f.read(), media_type=media)