path traversal in image download

The function sanitize_path doesn't strip ..\, but instead turns it into ../. This allows for path traversal. It is used in _download.

For production this is fortunately blocked by NGINX, as we pass the resultant path to sendfile. 😥

this has now been fixed and the fix has been deployed. As such this issue has been marked confidential no longer

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information