From 33dd9b66683e6838d6da16f5563c20de5d32ef5a Mon Sep 17 00:00:00 2001
From: Zed <zedeus@pm.me>
Date: Fri, 6 Feb 2026 20:32:44 +0100
Subject: [PATCH] Fix /pic/ exploit

---
 src/routes/media.nim | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/routes/media.nim b/src/routes/media.nim
index 186b8d8..011d0f3 100644
--- a/src/routes/media.nim
+++ b/src/routes/media.nim
@@ -93,6 +93,8 @@ proc createMediaRouter*(cfg: Config) =
 
     get re"^\/pic\/orig\/(enc)?\/?(.+)":
       var url = decoded(request, 1)
+      cond "amplify_video" notin url
+
       if "twimg.com" notin url:
         url.insert(twimg)
       if not url.startsWith(https):
@@ -107,6 +109,8 @@ proc createMediaRouter*(cfg: Config) =
 
     get re"^\/pic\/(enc)?\/?(.+)":
       var url = decoded(request, 1)
+      cond "amplify_video" notin url
+
       if "twimg.com" notin url:
         url.insert(twimg)
       if not url.startsWith(https):