path traversal exploit fix from upstream

Signed-off-by: ngn <ngn@ngn.tf>
2025-03-09 04:31:02 +03:00 · 2025-03-09 04:31:02 +03:00 · 7a4806c5a3
commit 7a4806c5a3
parent e9bbc0f307
1 changed files with 9 additions and 4 deletions
--- a/src/favicon.php
+++ b/src/favicon.php
@ -12,11 +12,16 @@ new favicon($_GET["s"]);
 class favicon{
 	
 	public function __construct($url){
-		
+
 		header("Content-Type: image/png");
-		
-		if(substr_count($url, "/") !== 2){
-			
+
+		if(
+			preg_match(
+				'/^https?:\/\/[A-Za-z0-9.-]+$/',
+				$url
+			) === 0
+		){
+
 			header("X-Error: Only provide the protocol and domain");
 			$this->defaulticon();
 		}