From 0adffe625a26fba47819e4f6e0acc21cef0a6f6c Mon Sep 17 00:00:00 2001
From: Benny <benny.think@gmail.com>
Date: Mon, 22 Apr 2024 19:33:32 +0200
Subject: [PATCH 1/4] Directory traversal with malformed HTTP request

#330
---
 handler/router.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/handler/router.go b/handler/router.go
index 3328a867d..30f7d91fc 100644
--- a/handler/router.go
+++ b/handler/router.go
@@ -22,6 +22,12 @@ func Convert(c *fiber.Ctx) error {
 	// 2. generate rawImagePath, could be local path or remote url(possible with query string)
 	// 3. pass it to encoder, get the result, send it back
 
+	// normal http request will start with /
+	if !strings.HasPrefix(c.Path(), "/") {
+		_ = c.SendStatus(http.StatusBadRequest)
+		return nil
+	}
+
 	var (
 		reqHostname = c.Hostname()
 		reqHost     = c.Protocol() + "://" + reqHostname // http://www.example.com:8000

From 966a6c12df12531daa9abe75c3d37bb2d7b6ad7d Mon Sep 17 00:00:00 2001
From: Benny <benny.think@gmail.com>
Date: Mon, 22 Apr 2024 19:34:41 +0200
Subject: [PATCH 2/4] bump version

---
 config/config.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/config.go b/config/config.go
index 78da7fc89..20c79d66d 100644
--- a/config/config.go
+++ b/config/config.go
@@ -50,7 +50,7 @@ var (
 	ProxyMode      bool
 	Prefetch       bool
 	Config         = NewWebPConfig()
-	Version        = "0.11.2"
+	Version        = "0.11.3"
 	WriteLock      = cache.New(5*time.Minute, 10*time.Minute)
 	ConvertLock    = cache.New(5*time.Minute, 10*time.Minute)
 	RemoteRaw      = "./remote-raw"

From a62f3f2d3119b9e6b6187967e3a05443a7a164d1 Mon Sep 17 00:00:00 2001
From: Benny <benny.think@gmail.com>
Date: Mon, 22 Apr 2024 20:24:36 +0200
Subject: [PATCH 3/4] also %2e

---
 handler/router.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/handler/router.go b/handler/router.go
index 30f7d91fc..afcc327d2 100644
--- a/handler/router.go
+++ b/handler/router.go
@@ -23,7 +23,7 @@ func Convert(c *fiber.Ctx) error {
 	// 3. pass it to encoder, get the result, send it back
 
 	// normal http request will start with /
-	if !strings.HasPrefix(c.Path(), "/") {
+	if strings.HasPrefix(c.Path(), ".") || strings.HasPrefix(c.Path(), "%2e") {
 		_ = c.SendStatus(http.StatusBadRequest)
 		return nil
 	}

From f4f241b23d8bc4892d5e56b3bf3d607fc39d1923 Mon Sep 17 00:00:00 2001
From: n0vad3v <n0vad3v@riseup.net>
Date: Tue, 23 Apr 2024 13:05:14 +0800
Subject: [PATCH 4/4] Use prefix to check invalid Path

---
 handler/router.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/handler/router.go b/handler/router.go
index afcc327d2..30f7d91fc 100644
--- a/handler/router.go
+++ b/handler/router.go
@@ -23,7 +23,7 @@ func Convert(c *fiber.Ctx) error {
 	// 3. pass it to encoder, get the result, send it back
 
 	// normal http request will start with /
-	if strings.HasPrefix(c.Path(), ".") || strings.HasPrefix(c.Path(), "%2e") {
+	if !strings.HasPrefix(c.Path(), "/") {
 		_ = c.SendStatus(http.StatusBadRequest)
 		return nil
 	}