From 67d962003756aaa062df8cb4d6dd108e57345475 Mon Sep 17 00:00:00 2001
From: flashwave <me@flash.moe>
Date: Mon, 11 Sep 2023 20:15:44 +0000
Subject: [PATCH] Fixed legacy paths being too / tolerant.

---
 public/index.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/public/index.php b/public/index.php
index 7329d7b..89e08d9 100644
--- a/public/index.php
+++ b/public/index.php
@@ -131,11 +131,15 @@ CSRF::init(
 $router = $msz->createRouting();
 $msz->startTemplating();
 
-$mszRequestPath = $request->getPath();
+$mszRequestPath = substr($request->getPath(), 1);
 $mszLegacyPathPrefix = MSZ_PUBLIC . '-legacy/';
-$mszLegacyPath = realpath($mszLegacyPathPrefix . $mszRequestPath);
+$mszLegacyPath = $mszLegacyPathPrefix . $mszRequestPath;
 
 if(!empty($mszLegacyPath) && str_starts_with($mszLegacyPath, $mszLegacyPathPrefix)) {
+    $mszLegacyPathReal = realpath($mszLegacyPath);
+    if($mszLegacyPath !== $mszLegacyPathReal && $mszLegacyPath !== $mszLegacyPathReal . '/')
+        Template::throwError(404);
+
     if(str_starts_with($mszRequestPath, '/manage') && !$msz->hasManageAccess())
         Template::throwError(403);