maya-chen/flask
1
0
Fork 0
forked from orbit-oss/flask
Code Pull requests Activity

Added note on send_file security.

Browse source
This commit is contained in:
Armin Ronacher 2010-05-12 01:02:20 +02:00
parent 5bb2b55a28
commit f80e1d3b5a
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
flask.py
View file

@ -249,6 +249,13 @@ def send_file(filename_or_fp, mimetype=None, as_attachment=False,
also explicitly provide one. For extra security you probably want also explicitly provide one. For extra security you probably want
to sent certain files as attachment (HTML for instance). to sent certain files as attachment (HTML for instance).
Please never pass filenames to this function from user sources without
checking them first. Something like this is usually sufficient to
avoid security problems::
if '..' in filename or filename.startswith('/'):
abort(404)
.. versionadded:: 0.2 .. versionadded:: 0.2
:param filename_or_fp: the filename of the file to send. This is :param filename_or_fp: the filename of the file to send. This is