From fd8ce188140765b1f73fb53875f23f0ceab0d726 Mon Sep 17 00:00:00 2001
From: bashrc <bob@libreserver.org>
Date: Thu, 5 Feb 2026 22:51:51 +0000
Subject: [PATCH] More bad strings

---
 utils.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/utils.py b/utils.py
index 7aa5e4ce2..5fd88bdff 100644
--- a/utils.py
+++ b/utils.py
@@ -3992,7 +3992,8 @@ def check_bad_path(path: str):
     bad_strings = ('..', '/.', '%2e%2e', '%252e%252e',
                    '/sftp.', '/sftp-', '/statistics',
                    '/config/', 'settings.', 'credentials',
-                   '/packs/', '/backend/', '/apis/')
+                   '/packs/', '/backend/', '/apis/',
+                   '/laravel/', '/js/')
 
     # allow /.well-known/...
     if '/.' in path_lower:
@@ -4005,6 +4006,7 @@ def check_bad_path(path: str):
         return True
 
     if path_lower.endswith('.js') or \
+       path_lower.endswith('.py') or \
        path_lower.endswith('.php') or \
        path_lower.endswith('.bak') or \
        path_lower.endswith('.env') or \