Merge branch 'dev' into mp4-streaming

.gitattributes

@@ -0,0 +1,10 @@
+# Auto detect text files and perform LF normalization
+* text=auto
+
+#
+# The above will handle all files NOT found below
+#
+# These files are text and should be normalized (Convert crlf => lf)
+*.bat           text  eol=crlf
+*.java          text  diff=java
+*.sh            text  eol=lf

client/.gitattributes

@@ -1,2 +0,0 @@
-# Auto detect text files and perform LF normalization
-* text=auto

server/src/main/java/ctbrec/recorder/server/HlsServlet.java

@@ -4,6 +4,8 @@ import static javax.servlet.http.HttpServletResponse.*;
 import java.io.File;
 import java.io.IOException;
 import java.io.RandomAccessFile;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Enumeration;
@@ -33,10 +35,12 @@ public class HlsServlet extends AbstractCtbrecServlet {
     protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         String contextPath = getServletContext().getContextPath();
         String request = req.getRequestURI().substring(contextPath.length() + 5);
-        File recordingsDir = new File(config.getSettings().recordingsDir);
+        Path recordingsDirPath = Paths.get(config.getSettings().recordingsDir).toAbsolutePath().normalize();
-        File requestedFile = new File(recordingsDir, request);
+        Path requestedFilePath = recordingsDirPath.resolve(request).toAbsolutePath().normalize();
 
-        if (requestedFile.getCanonicalPath().startsWith(config.getSettings().recordingsDir)) {
+        boolean isValidRequestedPath = requestedFilePath.startsWith(recordingsDirPath);
+        if (isValidRequestedPath) {
+            File requestedFile = requestedFilePath.toFile();
             if (requestedFile.getName().equals("playlist.m3u8")) {
                 try {
                     boolean isRequestAuthenticated = checkAuthentication(req, req.getRequestURI());