From 5695450289f24c4522b8cb479e3a717a4f88a07c Mon Sep 17 00:00:00 2001
From: Ethan Dalool <git@voussoir.net>
Date: Fri, 11 Nov 2022 15:54:32 -0800
Subject: [PATCH] Add a little obvious defense against filepaths in theme
 request.

---
 voussoirkit/flasktools.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/voussoirkit/flasktools.py b/voussoirkit/flasktools.py
index c674466..e17d619 100644
--- a/voussoirkit/flasktools.py
+++ b/voussoirkit/flasktools.py
@@ -239,6 +239,8 @@ def give_theme_cookie(function, *, cookie_name, default_theme):
     def wrapped(*args, **kwargs):
         old_theme = request.cookies.get(cookie_name, None)
         new_theme = request.args.get('theme', None)
+        if new_theme is not None and any(badchar in new_theme for badchar in {'..', '/', '\\'}):
+            new_theme = None
         theme = new_theme or old_theme or default_theme
 
         # The original data structure for request.cookies is immutable and we