From 71e17cb15bdddf1a2c8e209446b4e353be246ddd Mon Sep 17 00:00:00 2001
From: frosty <gabriel@bwaaa.monster>
Date: Tue, 10 Mar 2026 01:30:21 -0400
Subject: fix: path traversal and cookie buffer issues

---
 src/template.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'src/template.c')

diff --git a/src/template.c b/src/template.c
index 3bd583b..20cf10b 100644
--- a/src/template.c
+++ b/src/template.c
@@ -757,6 +757,18 @@ static char *render_template_segment(const char *template_segment,
           strncpy(included_filename, filename_start, filename_len);
           included_filename[filename_len] = '\0';
 
+          if (strstr(included_filename, "..") != NULL || strchr(included_filename, '/') != NULL) {
+            fprintf(stderr,
+                    "[SECURITY] render_template_segment: Path traversal attempt in include: %s\n",
+                    included_filename);
+            free(included_filename);
+            append_to_buffer(&rendered_buffer, &current_len, &max_len,
+                             "<!-- Include blocked: path traversal not allowed -->");
+            current_pos = end_tag + 2;
+            free(tag_content_raw);
+            continue;
+          }
+
           char *included_html = render_template(included_filename, ctx);
           if (included_html) {
             append_to_buffer(&rendered_buffer, &current_len, &max_len,
@@ -926,6 +938,13 @@ static char *render_template_segment(const char *template_segment,
 char *render_template(const char *template_file, TemplateContext *ctx) {
   char full_path[MAX_PATH_LEN];
 
+  if (strstr(template_file, "..") != NULL) {
+    fprintf(stderr,
+            "[SECURITY] render_template: Path traversal attempt: %s\n",
+            template_file);
+    return NULL;
+  }
+
   snprintf(full_path, sizeof(full_path), "%s%s", TEMPLATES_DIR, template_file);
 
   FILE *fp = fopen(full_path, "r");
-- 
cgit v1.2.3