added safety and color

2026-04-20 11:56:24 +02:00 · 2026-04-20 11:56:24 +02:00 · 25d607e68c
commit 25d607e68c
parent a7ce92ba57
3 changed files with 129 additions and 41 deletions
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@ -205,7 +205,36 @@ func (h *Handler) DownloadFile(w http.ResponseWriter, r *http.Request) {

 func (h *Handler) RawFile(w http.ResponseWriter, r *http.Request) {
 	fileName := strings.TrimPrefix(r.URL.Path, "/raw/")
-	http.ServeFile(w, r, filepath.Join(h.dir, fileName))
+
+	// Security: Prevent path traversal attacks
+	if fileName == "" || strings.Contains(fileName, "..") || strings.HasPrefix(fileName, "/") {
+		http.Error(w, "Invalid path", http.StatusBadRequest)
+		return
+	}
+
+	// Clean the path to prevent any directory traversal
+	cleanPath := filepath.Clean(fileName)
+	if strings.Contains(cleanPath, "..") {
+		http.Error(w, "Invalid path", http.StatusBadRequest)
+		return
+	}
+
+	fullPath := filepath.Join(h.dir, cleanPath)
+
+	// Verify the file exists and is within the allowed directory
+	fileInfo, err := os.Stat(fullPath)
+	if err != nil {
+		http.Error(w, "File not found", http.StatusNotFound)
+		return
+	}
+
+	// Ensure it's not a directory
+	if fileInfo.IsDir() {
+		http.Error(w, "Not found", http.StatusNotFound)
+		return
+	}
+
+	http.ServeFile(w, r, fullPath)
 }

 func (h *Handler) ServeStatic(w http.ResponseWriter, r *http.Request) {
@ -318,10 +347,18 @@ func fileIcon(name string) string {
 		return "💿"
 	case ".pdf":
 		return "📄"
-	case ".jpg", ".png", ".jpeg":
+	case ".jpg", ".png", ".jpeg", ".gif", ".pcx", ".bmp":
 		return "🖼️"
 	case ".txt", ".md":
 		return "📝"
+	case ".mp3", ".mod", ".ogg", ".wav", ".flac":
+		return "🎵"
+	case ".mp4", ".avi", ".mov":
+		return "🎬"
+	case ".zip", ".rar", ".7z":
+		return "📦"
+	case ".exe", ".msi":
+		return "📦"
 	default:
 		return "📄"
 	}