From d9194dcd764f8b5d13a7675e6bb4062cb0b772c9 Mon Sep 17 00:00:00 2001
From: Tanner Collin <git@tannercollin.com>
Date: Wed, 4 Feb 2026 12:14:12 -0700
Subject: [PATCH] fix: Sanitize playlist names to prevent directory traversal

Co-authored-by: aider (gemini/gemini-2.5-pro) <aider@aider.chat>
---
 main.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/main.py b/main.py
index e465c79..118679e 100644
--- a/main.py
+++ b/main.py
@@ -38,9 +38,14 @@ def run_pls_command(playlist_id):
         return ""
 
 
+def sanitize_for_filename(name):
+    """Sanitizes a string to be safe as a filename component."""
+    return name.replace('/', '_').replace('\\', '_')
+
+
 def save_playlist_file(playlist_dir, playlist_name, content):
     """Saves the transformed playlist content to a file."""
-    filename = f"{playlist_name}.m3u8"
+    filename = f"{sanitize_for_filename(playlist_name)}.m3u8"
     filepath = os.path.join(playlist_dir, filename)
     try:
         with open(filepath, 'w', encoding='utf-8') as f:
@@ -52,7 +57,7 @@ def save_playlist_file(playlist_dir, playlist_name, content):
 
 def delete_playlist_file(playlist_dir, playlist_name):
     """Deletes a playlist file."""
-    filename = f"{playlist_name}.m3u8"
+    filename = f"{sanitize_for_filename(playlist_name)}.m3u8"
     filepath = os.path.join(playlist_dir, filename)
     if os.path.exists(filepath):
         try: