From 4bd7d69c82163b201a987e99c0c50d7ecc6ee5f1 Mon Sep 17 00:00:00 2001
From: Henrique Dias <mail@hacdias.com>
Date: Sat, 14 Mar 2026 08:13:51 +0100
Subject: [PATCH] fix: clean path in patch handler

---
 http/resource.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/http/resource.go b/http/resource.go
index f528473d..3f78cb0c 100644
--- a/http/resource.go
+++ b/http/resource.go
@@ -212,6 +212,8 @@ func resourcePatchHandler(fileCache FileCache) handleFunc {
 		dst := r.URL.Query().Get("destination")
 		action := r.URL.Query().Get("action")
 		dst, err := url.QueryUnescape(dst)
+		dst = path.Clean("/" + dst)
+		src = path.Clean("/" + src)
 		if !d.Check(src) || !d.Check(dst) {
 			return http.StatusForbidden, nil
 		}