From 810a6b7324ff24de5a688bf7e13c738b705e476e Mon Sep 17 00:00:00 2001 From: Tirefire <84106878+tire-fire@users.noreply.github.com> Date: Wed, 11 Feb 2026 05:40:12 +0000 Subject: [PATCH 1/2] Clear stale cookie when session lookup fails Co-Authored-By: Claude Opus 4.6 --- www/api/authentication.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/www/api/authentication.go b/www/api/authentication.go index 29f96ad..fd93024 100644 --- a/www/api/authentication.go +++ b/www/api/authentication.go @@ -168,6 +168,15 @@ func Authenticate(w http.ResponseWriter, r *http.Request) (string, []string) { if err != nil { slog.Error(err.Error()) + http.SetCookie(w, &http.Cookie{ + Name: COOKIENAME, + Value: "", + MaxAge: -1, + HttpOnly: true, + Secure: cookieSecure(), + SameSite: http.SameSiteLaxMode, + Path: "/", + }) return "", nil } From f7aa48a9d97aef2169bc945339451194f4f90f54 Mon Sep 17 00:00:00 2001 From: Tirefire <84106878+tire-fire@users.noreply.github.com> Date: Fri, 13 Feb 2026 04:44:22 +0000 Subject: [PATCH 2/2] Fix path traversal in file uploads Co-Authored-By: Claude Opus 4.6 --- www/api/announcements.go | 2 +- www/api/injects.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/www/api/announcements.go b/www/api/announcements.go index b796829..4200ee6 100644 --- a/www/api/announcements.go +++ b/www/api/announcements.go @@ -160,7 +160,7 @@ func CreateAnnouncement(w http.ResponseWriter, r *http.Request) { } defer file.Close() - dst, err := os.Create(fmt.Sprintf("%s/%s", uploadDir, fileHeader.Filename)) + dst, err := SafeCreate(uploadDir, fileHeader.Filename) if err != nil { WriteJSON(w, http.StatusInternalServerError, map[string]any{"error": "Failed to create file on disk"}) return diff --git a/www/api/injects.go b/www/api/injects.go index 3e3397e..b5eaf70 100644 --- a/www/api/injects.go +++ b/www/api/injects.go @@ -193,7 +193,7 @@ func CreateInject(w http.ResponseWriter, r *http.Request) { } defer file.Close() - dst, err := os.Create(fmt.Sprintf("%s/%s", uploadDir, fileHeader.Filename)) + dst, err := SafeCreate(uploadDir, fileHeader.Filename) if err != nil { WriteJSON(w, http.StatusInternalServerError, map[string]any{"error": "Failed to create file on disk"}) return @@ -324,7 +324,7 @@ func UpdateInject(w http.ResponseWriter, r *http.Request) { } defer file.Close() - dst, err := os.Create(fmt.Sprintf("%s/%s", uploadDir, fileHeader.Filename)) + dst, err := SafeCreate(uploadDir, fileHeader.Filename) if err != nil { WriteJSON(w, http.StatusInternalServerError, map[string]any{"error": "Failed to create file on disk"}) return