0875dddbff
Resolved path was not checked against the static/ directory, allowing GET /static/../../../../etc/passwd to serve arbitrary files. Fix: resolve the path and call relative_to(static_root) before serving. Returns 404 for any path that escapes the static/ directory. fix(css): add !important to three dead mobile overrides in @media(640px) Three @media(max-width:640px) rules added by the mobile responsive PR were silently overridden by later bare rules in the same stylesheet: .composer-wrap padding (overridden by line 347) .suggestion-grid max-width (overridden by line 364) .tool-card margin-left (overridden by line 460) Fix: add !important to these three declarations so the mobile overrides actually fire on narrow screens. Tests: 224 passed, 0 failed.
38 KiB
38 KiB