From ccf878485dc25f8af08b64ca97c6bb912edd684e Mon Sep 17 00:00:00 2001
From: Ferdinand <ferdinand@MacBook-Pro.local>
Date: Tue, 7 Apr 2026 13:47:36 +0200
Subject: [PATCH] fix: restrict /preview to image extensions only

---
 server.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/server.py b/server.py
index aabf883..94dc5c9 100644
--- a/server.py
+++ b/server.py
@@ -44,11 +44,16 @@ def serve_frontend():
     return FileResponse("index.html")
 
 
+PREVIEW_ALLOWED_EXTENSIONS = {".jpg", ".jpeg", ".png"}
+
+
 @app.get("/preview")
 def preview(path: str):
+    ext = os.path.splitext(path)[1].lower()
+    if ext not in PREVIEW_ALLOWED_EXTENSIONS:
+        raise HTTPException(status_code=403, detail="Dateityp nicht erlaubt")
     if not os.path.isfile(path):
         raise HTTPException(status_code=404, detail="Datei nicht gefunden")
-    ext = os.path.splitext(path)[1].lower()
     media = "image/jpeg" if ext in (".jpg", ".jpeg") else "image/png"
     with open(path, "rb") as f:
         return Response(content=f.read(), media_type=media)