ferdi2go/OnlyFrames
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: restrict /preview to image extensions only

Browse Source
This commit is contained in:
Ferdinand
2026-04-07 13:47:36 +02:00
parent 8b50a85620
commit ccf878485d
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
server.py
View File

@@ -44,11 +44,16 @@ def serve_frontend():
return FileResponse("index.html") return FileResponse("index.html")
PREVIEW_ALLOWED_EXTENSIONS = {".jpg", ".jpeg", ".png"}
@app.get("/preview") @app.get("/preview")
def preview(path: str): def preview(path: str):
ext = os.path.splitext(path)[1].lower()
if ext not in PREVIEW_ALLOWED_EXTENSIONS:
raise HTTPException(status_code=403, detail="Dateityp nicht erlaubt")
if not os.path.isfile(path): if not os.path.isfile(path):
raise HTTPException(status_code=404, detail="Datei nicht gefunden") raise HTTPException(status_code=404, detail="Datei nicht gefunden")
ext = os.path.splitext(path)[1].lower()
media = "image/jpeg" if ext in (".jpg", ".jpeg") else "image/png" media = "image/jpeg" if ext in (".jpg", ".jpeg") else "image/png"
with open(path, "rb") as f: with open(path, "rb") as f:
return Response(content=f.read(), media_type=media) return Response(content=f.read(), media_type=media)