* HTTP Proxy: Limit proxy.i2p to /themes/ directory

apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelHTTPClient.java

@@ -811,11 +811,14 @@ public class I2PTunnelHTTPClient extends I2PTunnelClientBase implements Runnable
      *  but inproxy/gateway ops would be wise to block proxy.i2p to prevent
      *  exposing the docs/ directory or perhaps other issues through
      *  uncaught vulnerabilities.
+     *  Restrict to the /themes/ directory for now.
      *
-     *  @param targetRequest "proxy.i2p/foo.png HTTP/1.1"
+     *  @param targetRequest "proxy.i2p/themes/foo.png HTTP/1.1"
      */
     private static void serveLocalFile(OutputStream out, String method, String targetRequest) {
-        if (method.equals("GET") || method.equals("HEAD")) {
+        if ((method.equals("GET") || method.equals("HEAD")) &&
+            targetRequest.startsWith("proxy.i2p/themes/") &&
+            !targetRequest.contains("..")) {
             int space = targetRequest.indexOf(' ');
             String filename = null;
             try {