From c9697b1778a427e8850a3f0a8e611f3ef406b2e7 Mon Sep 17 00:00:00 2001
From: eiiko6 <myeiiko6@gmail.com>
Date: Mon, 23 Feb 2026 23:53:45 +0100
Subject: [PATCH] added theoretical path traversal security, and fixed assets
 url

---
 src/rendering.rs    | 14 +++++++++++++-
 templates/page.html |  2 +-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/rendering.rs b/src/rendering.rs
index 433a6d8..690e9ea 100644
--- a/src/rendering.rs
+++ b/src/rendering.rs
@@ -24,7 +24,19 @@ pub async fn render_wiki_page(
     no_navigation: bool,
     is_static: bool,
 ) -> Result<String, String> {
-    let toml_path = docs_dir.join(filename);
+    let toml_path = docs_dir
+        .join(filename)
+        .canonicalize()
+        .map_err(|_| "Not found")?;
+
+    let canonical_root = docs_dir
+        .canonicalize()
+        .map_err(|_| "Server Error: Invalid Root")?;
+
+    if !toml_path.starts_with(&canonical_root) {
+        return Err("Access Denied".to_string());
+    }
+
     let toml_content = tokio::fs::read_to_string(&toml_path)
         .await
         .map_err(|_| "Page configuration not found".to_string())?;
diff --git a/templates/page.html b/templates/page.html
index f64ceba..d852e02 100644
--- a/templates/page.html
+++ b/templates/page.html
@@ -15,7 +15,7 @@
     <aside class="wiki-sidebar">
         {% if main_image %}
         <div class="sidebar-image">
-            <img src="{% if is_static %}{{ main_image }}{% else %}/assets/{{ main_image }}{% endif %}" alt="{{ title }}">
+            <img src="{% if is_static %}{{ main_image }}{% else %}assets/{{ main_image }}{% endif %}" alt="{{ title }}">
         </div>
         {% endif %}