Merge pull request #1346 from ezyang/master
Remove bad security advice about send_file, fixes #1345
This commit is contained in:
Markus Unterwaditzer
commit
6521c36c68
1 changed files with 2 additions and 6 deletions
|
|
@ -427,12 +427,8 @@ def send_file(filename_or_fp, mimetype=None, as_attachment=False,
|
|||
guessing requires a `filename` or an `attachment_filename` to be
|
||||
provided.
|
||||
|
||||
Please never pass filenames to this function from user sources without
|
||||
checking them first. Something like this is usually sufficient to
|
||||
avoid security problems::
|
||||
|
||||
if '..' in filename or filename.startswith('/'):
|
||||
abort(404)
|
||||
Please never pass filenames to this function from user sources;
|
||||
you should use :func:`send_from_directory` instead.
|
||||
|
||||
.. versionadded:: 0.2
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue