maya-chen/flask
1
0
Fork 0
forked from orbit-oss/flask
Code Pull requests Activity

Make sure that windows servers do not allow downloading arbitrary files

Browse source 
Signed-off-by: Armin Ronacher <armin.ronacher@active-4.com>
This commit is contained in:
Armin Ronacher 2010-12-23 14:15:18 +01:00
parent 63268b3616
commit aeed530e32
1 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

12
flask/helpers.py
View file

@ -58,6 +58,13 @@ else:
_tojson_filter = json.dumps _tojson_filter = json.dumps
# what separators does this operating system provide that are not a slash?
# this is used by the send_from_directory function to ensure that nobody is
# able to access files from outside the filesystem.
_os_alt_seps = list(sep for sep in [os.path.sep, os.path.altsep]
if sep not in (None, '/'))
def _endpoint_from_view_func(view_func): def _endpoint_from_view_func(view_func):
"""Internal helper that returns the default endpoint for a given """Internal helper that returns the default endpoint for a given
function. This always is the function name. function. This always is the function name.
@ -386,7 +393,10 @@ def send_from_directory(directory, filename, **options):
forwarded to :func:`send_file`. forwarded to :func:`send_file`.
""" """
filename = posixpath.normpath(filename) filename = posixpath.normpath(filename)
if filename.startswith(('/', '../')): for sep in _os_alt_seps:
if sep in filename:
raise NotFound()
if os.path.isabs(filename) or filename.startswith('../'):
raise NotFound() raise NotFound()
filename = os.path.join(directory, filename) filename = os.path.join(directory, filename)
if not os.path.isfile(filename): if not os.path.isfile(filename):