From 2e5a8a572eced1d5983e7ada3752fa2f8b1d564b Mon Sep 17 00:00:00 2001
From: Daniel Barlow <dan@telent.net>
Date: Tue, 17 Dec 2024 17:24:40 +0000
Subject: [PATCH] tufted: more robust merge-pathname impl

---
 pkgs/tufted/tufted.fnl | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/pkgs/tufted/tufted.fnl b/pkgs/tufted/tufted.fnl
index d2f58c4..275ddbd 100644
--- a/pkgs/tufted/tufted.fnl
+++ b/pkgs/tufted/tufted.fnl
@@ -16,10 +16,18 @@
 
 (print (.. "TFTP serving from " options.base-directory))
 
-(fn merge-pathname [directory filename]
-  (if (directory:match "/$")
-      (.. directory  filename)
-      (.. directory "/" filename)))
+;; this is a copy of anoia append-path
+(fn  merge-pathname [dirname filename]
+  (let [base (or (string.match dirname "(.*)/$") dirname)
+        result []]
+    (each [component (string.gmatch filename "([^/]+)")]
+      (if (and (= component "..") (> (# result) 0))
+          (table.remove result)
+          (= component "..")
+          (error "path traversal attempt")
+          true
+          (table.insert result component)))
+    (.. base "/" (table.concat result "/"))))
 
 (->
  (tftp:listen