From 97942ca6f1a38c133c5e1adb7b5ea10d84c81985 Mon Sep 17 00:00:00 2001
From: kj_sh604
Date: Mon, 1 Jun 2026 13:34:03 -0400
Subject: refactor: move nyan.png to original location

---
 .gitignore            |   2 +-
 src/app.py            |   7 +++++--
 src/nyan.png          | Bin 901 -> 0 bytes
 src/uploads/.htaccess |   5 +++++
 src/uploads/nyan.png  | Bin 0 -> 901 bytes
 5 files changed, 11 insertions(+), 3 deletions(-)
 delete mode 100644 src/nyan.png
 create mode 100644 src/uploads/.htaccess
 create mode 100644 src/uploads/nyan.png

diff --git a/.gitignore b/.gitignore
index 5d9b990..76175b2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,5 @@
 src/uploads/*
 !src/uploads/.htaccess
-!src/uploads/nyan_819cac51.png
+!src/uploads/nyan.png
 __pycache__/
 *.pyc
\ No newline at end of file
diff --git a/src/app.py b/src/app.py
index edd0f59..1ff357e 100644
--- a/src/app.py
+++ b/src/app.py
@@ -5,6 +5,7 @@ import hashlib
 import os
 import re
 import secrets
+import string
 import subprocess
 import time
 from pathlib import Path
@@ -215,7 +216,7 @@ def favicon_svg():
 
 @app.route("/nyan.png")
 def nyan_png():
-    return send_from_directory(app.root_path, "nyan.png")
+    return send_from_directory(UPLOAD_DIR, "nyan.png")
 
 
 @app.route("/uploads/<filename>")
@@ -244,7 +245,9 @@ def upload():
 
     ext = ALLOWED_MIME[mime]
     basename = re.sub(r"[^a-zA-Z0-9_-]", "_", Path(f.filename).stem)[:64] or "image"
-    filename = f"{basename}_{secrets.token_hex(4)}.{ext}"
+    epoch = int(time.time())
+    rand = "".join(secrets.choice(string.ascii_lowercase + string.digits) for _ in range(16))
+    filename = f"{basename}_{epoch}-{rand}.{ext}"
 
     (UPLOAD_DIR / filename).write_bytes(data)
 
diff --git a/src/nyan.png b/src/nyan.png
deleted file mode 100644
index 377b9d0..0000000
Binary files a/src/nyan.png and /dev/null differ
diff --git a/src/uploads/.htaccess b/src/uploads/.htaccess
new file mode 100644
index 0000000..c53904e
--- /dev/null
+++ b/src/uploads/.htaccess
@@ -0,0 +1,5 @@
+# deny common executable/script payloads in uploads
+<FilesMatch "\.(php|phtml|php[0-9]?|phar|cgi|pl|py|sh)$">
+    Require all denied
+</FilesMatch>
+Options -ExecCGI
diff --git a/src/uploads/nyan.png b/src/uploads/nyan.png
new file mode 100644
index 0000000..377b9d0
Binary files /dev/null and b/src/uploads/nyan.png differ
-- 
cgit v1.2.3