You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks. We're checking and handling path breakouts, but we've obviously not covered the windows-specific case of breaking out using a drive-absolute path. Will have a look into resolving this as a priority.
If you pass in an absolute path by using an URL formatted like this: http://localhost:5000/staticmount/c%3a%5cwindows%5cwin.ini
Then you can read any file on the host machine.
This is because of the following python behavior:
So staticfiles.py needs to be updated by placing in a check for absolute paths inside lookup_path(...).
The text was updated successfully, but these errors were encountered: