508 B
508 B
- Fixed a path traversal issue in the development runner's
/files/{filename:path}download endpoint. Previously, when the runner was started with--folder, a request like/files/..%2F..%2Fetc%2Fpasswdcould escape the configured folder because%2F-encoded separators bypassed Starlette's path normalisation. The endpoint now resolves the joined path and rejects any filename that escapes the allowed base with a 403, and also returns 404 (instead of an implicitnull200) when--folderis unset.