feat(config): discover deep symlinks dynamically when accessing previews

2026-03-23 22:22:11 -03:00 · 2026-02-04 00:16:59 +08:00
parent c12aefa82a
commit 7bcf4e4491
4 changed files with 298 additions and 23 deletions
--- a/py/routes/handlers/preview_handlers.py
+++ b/py/routes/handlers/preview_handlers.py
@@ -33,6 +33,10 @@ class PreviewHandler:
            raise web.HTTPBadRequest(text="Invalid preview path encoding") from exc

        normalized = decoded_path.replace("\\", "/")
+
+        if not self._config.is_preview_path_allowed(normalized):
+            raise web.HTTPForbidden(text="Preview path is not within an allowed directory")
+
        candidate = Path(normalized)
        try:
            resolved = candidate.expanduser().resolve(strict=False)
@@ -40,12 +44,8 @@ class PreviewHandler:
            logger.debug("Failed to resolve preview path %s: %s", normalized, exc)
            raise web.HTTPBadRequest(text="Unable to resolve preview path") from exc

-        resolved_str = str(resolved)
-        if not self._config.is_preview_path_allowed(resolved_str):
-            raise web.HTTPForbidden(text="Preview path is not within an allowed directory")
-
        if not resolved.is_file():
-            logger.debug("Preview file not found at %s", resolved_str)
+            logger.debug("Preview file not found at %s", str(resolved))
            raise web.HTTPNotFound(text="Preview file not found")

        # aiohttp's FileResponse handles range requests and content headers for us.