mirror of
https://github.com/azures04/crafatar.git
synced 2026-05-06 11:00:39 +02:00
bba004acc7
uses `new URL()` and `decodeURI()` instead of `url.parse()` also checks that the requested file is in a subdirectory of `public/` before serving the file fixes path traversal vulnerability GHSA-5cxq-25mp-q5f2