From 21f922f731fb752652e39f564ed670b0574ee451 Mon Sep 17 00:00:00 2001
From: sdomi <ja@sdomi.pl>
Date: Sun, 1 Jun 2025 17:43:12 +0200
Subject: [PATCH 1/3] template: prevent possible LFI given a template injection

we're now doing some extra work to sanitize paths in include keys.
---
 src/template.sh | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/template.sh b/src/template.sh
index 0a34a50..e8cdf9b 100755
--- a/src/template.sh
+++ b/src/template.sh
@@ -27,24 +27,26 @@ function render() {
 	# recursion is currently unsupported here, i feel like it may break things?
 	if [[ "$template" == *'{{#'* && "$3" != true ]]; then
 		local subtemplate=
-		while read key; do 
+		while read key; do
 			# below check prevents the loop loading itself as a template.
 			# this is possibly not enough to prevent all recursions, but
 			# i see it as a last-ditch measure. so it'll do here.
-			if [[ "$file" == "$tplfile" ]]; then
-				subtemplate+="s${_tpl_ctrl}\{\{\#$key\}\}${_tpl_ctrl}I cowardly refuse to endlessly recurse\!${_tpl_ctrl}g;"
-			# elif [[ -f "$key" ]]; then
-			else
-				local i
-				local IFS=''
+			local i
+			local IFS=''
 
-				_template_find_absolute_path "$key"
-				local input="$(tr -d "${_tpl_ctrl}${_tpl_newline}" < "$tplfile" | sed 's/\&/�UwU�/g')"
-				garbage+="$input"$'\n'
-				input="$(tr $'\n' "${_tpl_newline}" <<< "$input")" # for another hack
-				subtemplate+="s${_tpl_ctrl}\{\{\#$key\}\}${_tpl_ctrl}${input}${_tpl_ctrl};"
-				_template_find_special_uri "$(cat "$tplfile")"
+			_old_tplfile="$tplfile"
+			_template_find_absolute_path "$key"
+			if [[ "$(realpath "$tplfile")" == "$_old_tplfile" ]]; then
+				subtemplate+="s${_tpl_ctrl}\{\{\#$key\}\}${_tpl_ctrl}I cowardly refuse to endlessly recurse\!${_tpl_ctrl}g;"
+				continue
 			fi
+			# don't even try to include files below httpsh's root
+			[[ "$(realpath "$tplfile")" != "$(dirname "$(realpath "${cfg[namespace]}")")"* ]] && continue
+			local input="$(tr -d "${_tpl_ctrl}${_tpl_newline}" < "$tplfile" | sed 's/\&/�UwU�/g')"
+			garbage+="$input"$'\n'
+			input="$(tr $'\n' "${_tpl_newline}" <<< "$input")" # for another hack
+			subtemplate+="s${_tpl_ctrl}\{\{\#$key\}\}${_tpl_ctrl}${input}${_tpl_ctrl};"
+			_template_find_special_uri "$(cat "$tplfile")"
 		done <<< "$(grep -Poh '{{#\K(.*?)(?=}})' <<< "$template")"
 
 		buf+="${subtemplate}"

From 1801e05fd975d394c0c925bbdd46e4e622f5999b Mon Sep 17 00:00:00 2001
From: sdomi <ja@sdomi.pl>
Date: Sun, 1 Jun 2025 17:47:26 +0200
Subject: [PATCH 2/3] template: bugfix the default include path

---
 src/template.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/template.sh b/src/template.sh
index e8cdf9b..e2f072c 100755
--- a/src/template.sh
+++ b/src/template.sh
@@ -140,8 +140,10 @@ function render() {
 #
 # _template_find_absolute_path(name) -> $tplfile
 _template_find_absolute_path() {
-	if [[ ! "${template_relative_paths}" || "$1" == /dev/stdin || "$1" == "/dev/fd/"* ]]; then
+	if [[ "$1" == /dev/stdin || "$1" == "/dev/fd/"* ]]; then
 		tplfile="$1"
+	elif [[ ! "${template_relative_paths}" ]]; then
+		tplfile="${cfg[namespace]}/$1"
 	else
 		for (( i=0; i<${#template_relative_paths[@]}; i++ )); do
 			if [[ -f "${template_relative_paths[i]}/$1" ]]; then

From 57ed8eadbf5491e754ceb7203b24d8a9ef853568 Mon Sep 17 00:00:00 2001
From: sdomi <ja@sdomi.pl>
Date: Sun, 1 Jun 2025 17:50:00 +0200
Subject: [PATCH 3/3] version: bump to 0.97.2

---
 src/version.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/version.sh b/src/version.sh
index fd70d1b..c290b98 100644
--- a/src/version.sh
+++ b/src/version.sh
@@ -1,2 +1,2 @@
 #!/usr/bin/env bash
-HTTPSH_VERSION=0.97.1
+HTTPSH_VERSION=0.97.2