From 7b14b39de087493e16c07cf005f8ce1f7c55cc07 Mon Sep 17 00:00:00 2001
From: Nicolas Giard <github@ngpixel.com>
Date: Sat, 29 Jan 2022 18:45:51 -0500
Subject: [PATCH] fix: prevent upload bypass via uppercase path

---
 server/helpers/security.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/helpers/security.js b/server/helpers/security.js
index c138ada176..e45ee32ca5 100644
--- a/server/helpers/security.js
+++ b/server/helpers/security.js
@@ -32,7 +32,7 @@ module.exports = {
         token = req.cookies['jwt']
       }
       // Force uploads to use Auth headers
-      if (req.path === '/u') {
+      if (req.path.toLowerCase() === '/u') {
         return null
       }
       return token