Extra safety for safe_join. Does not look exploitable but better safe than sorry. Fixes #501

2012-10-07 22:58:41 +02:00 · 2012-10-07 22:58:41 +02:00 · 3afcbf160e
commit 3afcbf160e
parent f701f69947
2 changed files with 9 additions and 1 deletions
--- a/flask/helpers.py
+++ b/flask/helpers.py
@ -604,7 +604,9 @@ def safe_join(directory, filename):
    for sep in _os_alt_seps:
        if sep in filename:
            raise NotFound()
-    if os.path.isabs(filename) or filename.startswith('../'):
+    if os.path.isabs(filename) or \
+       filename == '..' or \
+       filename.startswith('../'):
        raise NotFound()
    return os.path.join(directory, filename)

--- a/flask/testsuite/regression.py
+++ b/flask/testsuite/regression.py
@ -17,6 +17,7 @@ import flask
 import threading
 import unittest
 from werkzeug.test import run_wsgi_app, create_environ
+from werkzeug.exceptions import NotFound
 from flask.testsuite import FlaskTestCase


@ -79,6 +80,11 @@ class MemoryTestCase(FlaskTestCase):
                for x in xrange(10):
                    fire()

+    def test_safe_join_toplevel_pardir(self):
+        from flask.helpers import safe_join
+        with self.assert_raises(NotFound):
+            safe_join('/foo', '..')
+

 def suite():
    suite = unittest.TestSuite()