path traversal in image download

The function sanitize_path doesn't strip ..\, but instead turns it into ../. This allows for path traversal. It is used in _download.

For production this is fortunately blocked by NGINX, as we pass the resultant path to sendfile. 😥

this has now been fixed and the fix has been deployed. As such this issue has been marked confidential no longer