From ebf6a4bd8e97e434d1502ddead4690aca3dd6d33 Mon Sep 17 00:00:00 2001
From: default <nobody@localhost>
Date: Mon, 22 Apr 2024 05:46:56 +0200
Subject: URLs like {srv_baseurl}/{user}/admin/p/{md5} are valid.

But only if {md5} is in the user's timeline.
---
 data.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

(limited to 'data.c')

diff --git a/data.c b/data.c
index 1e46395..2fb00eb 100644
--- a/data.c
+++ b/data.c
@@ -1065,14 +1065,18 @@ int timeline_touch(snac *snac)
 xs_str *timeline_fn_by_md5(snac *snac, const char *md5)
 /* get the filename of an entry by md5 from any timeline */
 {
-    xs_str *fn = xs_fmt("%s/private/%s.json", snac->basedir, md5);
+    xs_str *fn = NULL;
 
-    if (mtime(fn) == 0.0) {
-        fn = xs_free(fn);
-        fn = xs_fmt("%s/public/%s.json", snac->basedir, md5);
+    if (xs_is_hex(md5) && strlen(md5) == 32) {
+        fn = xs_fmt("%s/private/%s.json", snac->basedir, md5);
 
-        if (mtime(fn) == 0.0)
+        if (mtime(fn) == 0.0) {
             fn = xs_free(fn);
+            fn = xs_fmt("%s/public/%s.json", snac->basedir, md5);
+
+            if (mtime(fn) == 0.0)
+                fn = xs_free(fn);
+        }
     }
 
     return fn;
-- 
cgit v1.2.3