Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Make sure that windows servers do not allow downloading arbitrary files

  • Loading branch information...
commit ed70b42798a31bce951917ff22b996c810e2c3a9 1 parent fb88d9d
Armin Ronacher authored
Showing with 11 additions and 1 deletion.
  1. +11 −1 flask/helpers.py
12 flask/helpers.py
View
@@ -58,6 +58,13 @@ def _tojson_filter(*args, **kwargs):
_tojson_filter = json.dumps
+# what separators does this operating system provide that are not a slash?
+# this is used by the send_from_directory function to ensure that nobody is
+# able to access files from outside the filesystem.
+_os_alt_seps = list(sep for sep in [os.path.sep, os.path.altsep]
+ if sep not in (None, '/'))
+
+
def _endpoint_from_view_func(view_func):
"""Internal helper that returns the default endpoint for a given
function. This always is the function name.
@@ -413,7 +420,10 @@ def download_file(filename):
forwarded to :func:`send_file`.
"""
filename = posixpath.normpath(filename)
- if filename.startswith(('/', '../')):
+ for sep in _os_alt_seps:
+ if sep in filename:
+ raise NotFound()
+ if os.path.isabs(filename) or filename.startswith('../'):
raise NotFound()
filename = os.path.join(directory, filename)
if not os.path.isfile(filename):
Please sign in to comment.
Something went wrong with that request. Please try again.