From 6e013f9d1d490da8054d25945551c6af11f48857 Mon Sep 17 00:00:00 2001
From: f0x <f0x@cthu.lu>
Date: Mon, 20 May 2024 20:58:05 +0200
Subject: [PATCH] fix sendFile path

---
 server/plugins/uploader.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/plugins/uploader.ts b/server/plugins/uploader.ts
index 62f6bbce..ff6d9555 100644
--- a/server/plugins/uploader.ts
+++ b/server/plugins/uploader.ts
@@ -148,7 +148,8 @@ class Uploader {
 		res.setHeader("Content-Disposition", disposition);
 		res.contentType(detectedMimeType);
 
-		return res.sendFile(filePath, {
+		// using unsafePath because it's safely resolved against 'root' by sendFile
+		return res.sendFile(unsafePath, {
 			root: uploadPath,
 			maxAge: 86400
 		});