From ff4c4f6d46d33f316f98e47441c6b8575cc08167 Mon Sep 17 00:00:00 2001
From: Tom Kralidis <tomkralidis@gmail.com>
Date: Tue, 12 Mar 2024 09:16:34 -0400
Subject: [PATCH] Flask: sanitize OGC schema pathing (#1593)

---
 pygeoapi/flask_app.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pygeoapi/flask_app.py b/pygeoapi/flask_app.py
index dc82978..5c22475 100644
--- a/pygeoapi/flask_app.py
+++ b/pygeoapi/flask_app.py
@@ -101,8 +101,11 @@ if (OGC_SCHEMAS_LOCATION is not None and
         dirname_ = os.path.dirname(full_filepath)
         basename_ = os.path.basename(full_filepath)
 
-        # TODO: better sanitization?
-        path_ = dirname_.replace('..', '').replace('//', '')
+        path_ = dirname_.replace('..', '').replace('//', '').replace('./', '')
+
+        if '..' in path_:
+            return 'Invalid path', 400
+
         return send_from_directory(path_, basename_,
                                    mimetype=get_mimetype(basename_))