From 73a2adc05557ef919bf83b530fdefdcc26c7985a Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Fri, 16 Oct 2020 21:23:13 +0200
Subject: [PATCH] Do not allow \ or @ in URL

---
 web/handler.go | 6 ++++++
 web/web.go     | 4 ----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/web/handler.go b/web/handler.go
index b7c55b0..d9cc4fa 100644
--- a/web/handler.go
+++ b/web/handler.go
@@ -8,6 +8,7 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"regexp"
 	"strings"
 
 	"github.com/markbates/pkger"
@@ -17,6 +18,11 @@ import (
 	"gitlab.crans.org/nounous/ghostream/stream/webrtc"
 )
 
+var (
+	// Precompile regex
+	validPath = regexp.MustCompile("^/[a-z0-9_-]*$")
+)
+
 // Handle WebRTC session description exchange via POST
 func viewerPostHandler(w http.ResponseWriter, r *http.Request) {
 	// Limit response body to 128KB
diff --git a/web/web.go b/web/web.go
index 2ef30a2..929053b 100644
--- a/web/web.go
+++ b/web/web.go
@@ -7,7 +7,6 @@ import (
 	"log"
 	"net/http"
 	"os"
-	"regexp"
 	"strings"
 
 	"github.com/markbates/pkger"
@@ -42,9 +41,6 @@ var (
 
 	// Preload templates
 	templates *template.Template
-
-	// Precompile regex
-	validPath = regexp.MustCompile("^/[a-z0-9@_\\-]*/?$")
 )
 
 // Load templates with pkger