Raise BadRequest if static file name is invalid

* Raise BadRequest if static file name is invalid * Clean up syntax a bit * Remove unnecessary close()
2016-04-02 12:07:27 -07:00 · 2016-04-02 12:07:27 -07:00 · 9f1be8e795
commit 9f1be8e795
parent d3d8a4694a
2 changed files with 15 additions and 3 deletions
--- a/flask/helpers.py
+++ b/flask/helpers.py
@ -27,7 +27,7 @@ except ImportError:
    from urlparse import quote as url_quote

 from werkzeug.datastructures import Headers
-from werkzeug.exceptions import NotFound
+from werkzeug.exceptions import BadRequest, NotFound

 # this was moved in 0.7
 try:
@ -618,8 +618,11 @@ def send_from_directory(directory, filename, **options):
    filename = safe_join(directory, filename)
    if not os.path.isabs(filename):
        filename = os.path.join(current_app.root_path, filename)
-    if not os.path.isfile(filename):
-        raise NotFound()
+    try:
+        if not os.path.isfile(filename):
+            raise NotFound()
+    except (TypeError, ValueError):
+        raise BadRequest()
    options.setdefault('conditional', True)
    return send_file(filename, **options)

--- a/tests/test_helpers.py
+++ b/tests/test_helpers.py
@ -15,6 +15,7 @@ import os
 import datetime
 import flask
 from logging import StreamHandler
+from werkzeug.exceptions import BadRequest
 from werkzeug.http import parse_cache_control_header, parse_options_header
 from werkzeug.http import http_date
 from flask._compat import StringIO, text_type
@ -504,6 +505,14 @@ class TestSendfile(object):
            assert rv.data.strip() == b'Hello Subdomain'
            rv.close()

+    def test_send_from_directory_bad_request(self):
+        app = flask.Flask(__name__)
+        app.testing = True
+        app.root_path = os.path.join(os.path.dirname(__file__),
+                                     'test_apps', 'subdomaintestmodule')
+        with app.test_request_context():
+            with pytest.raises(BadRequest):
+                flask.send_from_directory('static', 'bad\x00')

 class TestLogging(object):