path traversal in image download
sanitize_path doesn't strip
..\, but instead turns it into
../. This allows for path traversal. It is used in
For production this is fortunately blocked by NGINX, as we pass the resultant path to sendfile.
this has now been fixed and the fix has been deployed. As such this issue has been marked confidential no longer