From 83666ad3b9bc554f584b61676fcbd1ac4d688d8b Mon Sep 17 00:00:00 2001
From: Ganesh Patil <7030871503ganeshpatil@gmail.com>
Date: Wed, 18 Feb 2026 15:39:06 +0530
Subject: [PATCH] security: sanitize fetch parameter with secure_filename in
 /download endpoint (fixes #358)

---
 fri/server/main.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fri/server/main.py b/fri/server/main.py
index c2e1e659..90dfd7a0 100644
--- a/fri/server/main.py
+++ b/fri/server/main.py
@@ -433,6 +433,11 @@ def download(dir):
     if not download_file:
         abort(400, description="Missing file parameter")
 
+    download_file = secure_filename(download_file)
+
+    if download_file == "":
+        abort(400, description="Invalid filename")
+
     # Normalize the requested file path
     safe_path = os.path.normpath(download_file)