403 on directory traversal

app.py

@@ -1,7 +1,7 @@
 from asyncio.streams import StreamReader, StreamWriter
 import re
 from typing import Any, LiteralString, Mapping
-from flask import Flask, render_template, request, send_file, jsonify
+from flask import Flask, abort, render_template, request, send_file, jsonify
 import os
 import subprocess
 import signal
@@ -175,7 +175,11 @@ async def route_toggle():
 @app.route("/files/<path:path>", methods=["GET"])
 @app.route("/files")
 def filemgr(path=""):
-    full_path = get_path(music_path, path)
+    try:
+        full_path = get_path(music_path, path)
+    except ValueError:
+        abort(403)
+
     print(full_path)
     if os.path.isfile(full_path):
         return send_file(full_path)
@@ -262,7 +266,10 @@ async def api_play_track(
     if re.match("^https?://.*", filename_or_url):
         playback_uri = filename_or_url
     else:
-        file_path = get_path(music_path, filename_or_url)
+        try:
+            file_path = get_path(music_path, filename_or_url)
+        except ValueError:
+            return jsonify(error_str.format(filename=filename_or_url)), 403
         if not file_path.exists():
             return jsonify(error_str.format(filename=filename_or_url)), 404
         playback_uri = str(file_path)
@@ -297,7 +304,10 @@ async def api_play_fx(
     if re.match("^https?://.*", filename_or_url):
         playback_uri = filename_or_url
     else:
-        file_path = get_path(fx_path, filename_or_url)
+        try:
+            file_path = get_path(fx_path, filename_or_url)
+        except ValueError:
+            return jsonify(error_str.format(filename=filename_or_url)), 403
         if not file_path.exists():
             return jsonify(error_str.format(filename=filename_or_url)), 404
         playback_uri = str(file_path)