From 392c9b34cdb5b4c3c4904e5d76dfbfffb862e041 Mon Sep 17 00:00:00 2001
From: bashrc <bob@libreserver.org>
Date: Thu, 15 Jan 2026 15:55:55 +0000
Subject: [PATCH] More bad paths

---
 utils.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/utils.py b/utils.py
index 7a5499074..5ac0ca0f1 100644
--- a/utils.py
+++ b/utils.py
@@ -3967,7 +3967,8 @@ def check_bad_path(path: str):
     """
     path_lower = path.lower()
 
-    bad_strings = ('..', '/.', '%2e%2e', '%252e%252e')
+    bad_strings = ('..', '/.', '%2e%2e', '%252e%252e',
+                   '/sftp.', '/sftp-')
 
     # allow /.well-known/...
     if '/.' in path_lower: