From 7a4806c5a322f13db1fa7bca70e46805350c0582 Mon Sep 17 00:00:00 2001
From: ngn <ngn@ngn.tf>
Date: Sun, 9 Mar 2025 04:31:02 +0300
Subject: [PATCH] path traversal exploit fix from upstream

Signed-off-by: ngn <ngn@ngn.tf>
---
 src/favicon.php | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/favicon.php b/src/favicon.php
index 2a31839..a3c1113 100644
--- a/src/favicon.php
+++ b/src/favicon.php
@@ -12,11 +12,16 @@ new favicon($_GET["s"]);
 class favicon{
 	
 	public function __construct($url){
-		
+
 		header("Content-Type: image/png");
-		
-		if(substr_count($url, "/") !== 2){
-			
+
+		if(
+			preg_match(
+				'/^https?:\/\/[A-Za-z0-9.-]+$/',
+				$url
+			) === 0
+		){
+
 			header("X-Error: Only provide the protocol and domain");
 			$this->defaulticon();
 		}