Extra safety for safe_join. Does not look exploitable but better safe than sorry. Fixes #501

2012-10-07 22:58:41 +02:00 · 2012-10-07 22:58:41 +02:00 · 3afcbf160e
commit 3afcbf160e
parent f701f69947
2 changed files with 9 additions and 1 deletions
--- a/flask/helpers.py
+++ b/flask/helpers.py
@ -604,7 +604,9 @@ def safe_join(directory, filename):
    for sep in _os_alt_seps:
        if sep in filename:
            raise NotFound()
-    if os.path.isabs(filename) or filename.startswith('../'):
+    if os.path.isabs(filename) or \
+       filename == '..' or \
+       filename.startswith('../'):
        raise NotFound()
    return os.path.join(directory, filename)