From a99e45541463078c29dc24708f25aa3af694e2ab Mon Sep 17 00:00:00 2001
From: evandrocoan <evandrocoan@hotmail.com>
Date: Thu, 2 Jul 2020 20:22:20 -0300
Subject: [PATCH] Removed duplicated mediasrv.py security check and fixed
 invalid

command/path error message.
---
 qt/aqt/mediasrv.py | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/qt/aqt/mediasrv.py b/qt/aqt/mediasrv.py
index f9cb62b74..4f42c5511 100644
--- a/qt/aqt/mediasrv.py
+++ b/qt/aqt/mediasrv.py
@@ -126,13 +126,6 @@ def allroutes(pathin):
 
     try:
         if flask.request.method == "POST":
-            if not pathin.startswith("_anki/"):
-                return flask.Response(
-                    "Path for '%s - %s' is a security leak!" % (directory, path),
-                    status=HTTPStatus.FORBIDDEN,
-                    mimetype="text/plain",
-                )
-
             if path == "graphData":
                 body = request.data
                 data = graph_data(allroutes.mw.col, **from_json_bytes(body))
@@ -140,7 +133,7 @@ def allroutes(pathin):
                 data = allroutes.mw.col.backend.i18n_resources()
             else:
                 return flask.Response(
-                    "Path for '%s - %s' is a security leak!" % (directory, path),
+                    "Post request to '%s - %s' is a security leak!" % (directory, path),
                     status=HTTPStatus.FORBIDDEN,
                     mimetype="text/plain",
                 )