From 84adaa934a903769de802c85ed499f93d2d361b8 Mon Sep 17 00:00:00 2001
From: "Albert S." <mail@quitesimple.org>
Date: Mon, 27 Nov 2023 22:33:55 +0100
Subject: [PATCH] template: getPartPath(): Ensure return path isn't outside
 template dir

user-input to this function might become possible soon
---
 template.cpp | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/template.cpp b/template.cpp
index 8a90528..e7eb2cd 100644
--- a/template.cpp
+++ b/template.cpp
@@ -18,6 +18,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 */
+#include <filesystem>
 #include "template.h"
 #include "varreplacer.h"
 #include "urlprovider.h"
@@ -47,9 +48,15 @@ TemplatePage Template::getPage(const std::string &pagename)
 
 std::string Template::getPartPath(std::string_view partname)
 {
-	// TODO: utils::concatPath? C++17 paths?
-	return this->templatepath + "/" + std::string(partname);
+	auto absolute_path = std::filesystem::canonical(std::filesystem::path{this->templatepath} / partname);
+	std::string result = absolute_path.string();
+	if(result.starts_with(this->templatepath))
+	{
+		return result;
+	}
+	return "";
 }
+
 std::string Template::loadPartContent(std::string_view partname)
 {
 	std::string partpath = getPartPath(partname);