fixed possible security problem in module branch

2010-07-04 20:36:34 +02:00 · 2010-07-04 20:36:34 +02:00 · 8945a97a42
commit 8945a97a42
parent f1cde5bbfc
2 changed files with 22 additions and 1 deletions
--- a/flask/helpers.py
+++ b/flask/helpers.py
@ -29,6 +29,7 @@ except ImportError:
        json_available = False

 from werkzeug import Headers, wrap_file, is_resource_modified, cached_property
+from werkzeug.exceptions import NotFound

 from jinja2 import FileSystemLoader

@ -334,7 +335,7 @@ class _PackageBoundObject(object):
        .. versionadded:: 0.5
        """
        filename = posixpath.normpath(filename)
-        if filename.startswith('../'):
+        if filename.startswith(('/', '../')):
            raise NotFound()
        filename = os.path.join(self.root_path, 'static', filename)
        if not os.path.isfile(filename):