3 files changed, 10 insertions, 2 deletions

diff --git a/src/app.py b/src/app.py
index edd0f59..1ff357e 100644
--- a/src/app.py
+++ b/src/app.py
@@ -5,6 +5,7 @@ import hashlib
 import os
 import re
 import secrets
+import string
 import subprocess
 import time
 from pathlib import Path
@@ -215,7 +216,7 @@ def favicon_svg():
 
 @app.route("/nyan.png")
 def nyan_png():
-    return send_from_directory(app.root_path, "nyan.png")
+    return send_from_directory(UPLOAD_DIR, "nyan.png")
 
 
 @app.route("/uploads/<filename>")
@@ -244,7 +245,9 @@ def upload():
 
     ext = ALLOWED_MIME[mime]
     basename = re.sub(r"[^a-zA-Z0-9_-]", "_", Path(f.filename).stem)[:64] or "image"
-    filename = f"{basename}_{secrets.token_hex(4)}.{ext}"
+    epoch = int(time.time())
+    rand = "".join(secrets.choice(string.ascii_lowercase + string.digits) for _ in range(16))
+    filename = f"{basename}_{epoch}-{rand}.{ext}"
 
     (UPLOAD_DIR / filename).write_bytes(data)
 
diff --git a/src/uploads/.htaccess b/src/uploads/.htaccess
new file mode 100644
index 0000000..c53904e
--- /dev/null
+++ b/src/uploads/.htaccess
@@ -0,0 +1,5 @@
+# deny common executable/script payloads in uploads
+<FilesMatch "\.(php|phtml|php[0-9]?|phar|cgi|pl|py|sh)$">
+    Require all denied
+</FilesMatch>
+Options -ExecCGI
diff --git a/src/nyan.png b/src/uploads/nyan.png
index 377b9d0..377b9d0 100644
--- a/src/nyan.png
+++ b/src/uploads/nyan.png