From 74b2408668fedca818bac23c0a5ef4fbca30aec1 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Wed, 4 Oct 2017 12:39:08 +0200
Subject: [PATCH] Move path checking to parsePath

---
 src/Ui/UiRequest.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index efb29841..73fd5cda 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -435,10 +435,10 @@ class UiRequest(object):
 
     # Serve a media for site
     def actionSiteMedia(self, path, header_length=True, header_noscript=False):
-        if ".." in path:  # File not in allowed path
-            return self.error403("Invalid file path")
-
-        path_parts = self.parsePath(path)
+        try:
+            path_parts = self.parsePath(path)
+        except SecurityError as err:
+            return self.error403(err)
 
         if not path_parts:
             return self.error404(path)