From b2203804c715e5b6b1915bcace6dfc3df806f346 Mon Sep 17 00:00:00 2001
From: lolcat <will@lolcat.ca>
Date: Sun, 2 Mar 2025 21:58:18 -0500
Subject: [PATCH] path traversal exploit (this is what you get for using free
 software)

---
 favicon.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/favicon.php b/favicon.php
index 2a31839..0694a12 100644
--- a/favicon.php
+++ b/favicon.php
@@ -15,7 +15,12 @@ class favicon{
 		
 		header("Content-Type: image/png");
 		
-		if(substr_count($url, "/") !== 2){
+		if(
+			preg_match(
+				'/^https?:\/\/[A-Za-z0-9.-]+$/',
+				$url
+			) === 0
+		){
 			
 			header("X-Error: Only provide the protocol and domain");
 			$this->defaulticon();