From c494e628b65680aa8ccc913d89e4ea5974e00d06 Mon Sep 17 00:00:00 2001
From: thapr0digy <lindomusic@gmail.com>
Date: Wed, 20 Aug 2025 00:23:10 -0400
Subject: [PATCH] Fix path creation causing directory traversal

---
 web/download.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/web/download.php b/web/download.php
index a62bf06..60b77a9 100644
--- a/web/download.php
+++ b/web/download.php
@@ -7,9 +7,14 @@
     die("Missing required parameters");
 }
 
+// This prevents command injection and directory traversal attacks.
+if (!preg_match('/^[a-zA-Z0-9_-]+$/', $agent_id)) {
+    die("Invalid agent id format");
+}
+
 // Construct full path
 $base_path = "/rtMount/$agent_id";
-$full_path = "$base_path/$path";
+$full_path = realpath($base_path . '/' . $path);
 
 // Security checks
 if (!str_starts_with(realpath($full_path), realpath($base_path))) {
@@ -38,4 +43,4 @@
     echo fread($handle, 8192);
     flush();
 }
-fclose($handle); 
\ No newline at end of file
+fclose($handle);