forked from orbit-oss/flask
Remove bad security advice about send_file.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
This commit is contained in:
Edward Z. Yang
parent
f0b4b99930
commit
29f7c10a5d
1 changed files with 2 additions and 6 deletions
|
|
@ -427,12 +427,8 @@ def send_file(filename_or_fp, mimetype=None, as_attachment=False,
|
|||
guessing requires a `filename` or an `attachment_filename` to be
|
||||
provided.
|
||||
|
||||
Please never pass filenames to this function from user sources without
|
||||
checking them first. Something like this is usually sufficient to
|
||||
avoid security problems::
|
||||
|
||||
if '..' in filename or filename.startswith('/'):
|
||||
abort(404)
|
||||
Please never pass filenames to this function from user sources;
|
||||
you should use :func:`send_from_directory` instead.
|
||||
|
||||
.. versionadded:: 0.2
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue