diff --git a/src/rupload/app.py b/src/rupload/app.py index 2b37b5b..f623ad3 100644 --- a/src/rupload/app.py +++ b/src/rupload/app.py @@ -271,7 +271,7 @@ async def handle_upload(request: web.Request): async def handle_thumbnail(request: web.Request): path = request.match_info["path"] - safe_path = pathlib.Path(path) + safe_path = pathlib.Path(request.app.upload_path).joinpath(pathlib.Path(path.name)) if not safe_path.is_file(): return web.Response(status=400, text="Invalid file type.")