Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Make sure that windows servers do not allow downloading arbitrary files

  • Loading branch information...
commit ed70b42798a31bce951917ff22b996c810e2c3a9 1 parent fb88d9d
@mitsuhiko authored
Showing with 11 additions and 1 deletion.
  1. +11 −1 flask/helpers.py
View
12 flask/helpers.py
@@ -58,6 +58,13 @@ def _tojson_filter(*args, **kwargs):
_tojson_filter = json.dumps
+# what separators does this operating system provide that are not a slash?
+# this is used by the send_from_directory function to ensure that nobody is
+# able to access files from outside the filesystem.
+_os_alt_seps = list(sep for sep in [os.path.sep, os.path.altsep]
+ if sep not in (None, '/'))
+
+
def _endpoint_from_view_func(view_func):
"""Internal helper that returns the default endpoint for a given
function. This always is the function name.
@@ -413,7 +420,10 @@ def download_file(filename):
forwarded to :func:`send_file`.
"""
filename = posixpath.normpath(filename)
- if filename.startswith(('/', '../')):
+ for sep in _os_alt_seps:
+ if sep in filename:
+ raise NotFound()
+ if os.path.isabs(filename) or filename.startswith('../'):
raise NotFound()
filename = os.path.join(directory, filename)
if not os.path.isfile(filename):
Please sign in to comment.
Something went wrong with that request. Please try again.