From 39abd1da6d73102e8c93d05d16ec3466b6e6ae6f Mon Sep 17 00:00:00 2001
From: Mazen Besher <mazenbesher@users.noreply.github.com>
Date: Mon, 20 Dec 2021 13:51:59 +0100
Subject: [PATCH] secure filename in webvtt regex against accidental evaluation

Co-authored-by: Ramires Viana <59319979+ramiresviana@users.noreply.github.com>
---
 files/file.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/file.go b/files/file.go
index c5e09995..46179587 100644
--- a/files/file.go
+++ b/files/file.go
@@ -279,7 +279,7 @@ func (i *FileInfo) detectSubtitles() {
 	dir, err := afs.ReadDir(parentDir)
 	if err == nil {
 		base := strings.TrimSuffix(i.Name, ext)
-		r := regexp.MustCompile(base + `\.(.*\.)?vtt`)
+		r := regexp.MustCompile("^" + regexp.QuoteMeta(base) + `\.(.*\.)?vtt$`)
 		for _, f := range dir {
 			if !f.IsDir() {
 				if matches := r.FindStringSubmatch(f.Name()); len(matches) == 2 {