Skip to content
Browse files

Make sure that windows servers do not allow downloading arbitrary files

  • Loading branch information...
1 parent fb88d9d commit ed70b42798a31bce951917ff22b996c810e2c3a9 @mitsuhiko committed
Showing with 11 additions and 1 deletion.
  1. +11 −1 flask/
12 flask/
@@ -58,6 +58,13 @@ def _tojson_filter(*args, **kwargs):
_tojson_filter = json.dumps
+# what separators does this operating system provide that are not a slash?
+# this is used by the send_from_directory function to ensure that nobody is
+# able to access files from outside the filesystem.
+_os_alt_seps = list(sep for sep in [os.path.sep, os.path.altsep]
+ if sep not in (None, '/'))
def _endpoint_from_view_func(view_func):
"""Internal helper that returns the default endpoint for a given
function. This always is the function name.
@@ -413,7 +420,10 @@ def download_file(filename):
forwarded to :func:`send_file`.
filename = posixpath.normpath(filename)
- if filename.startswith(('/', '../')):
+ for sep in _os_alt_seps:
+ if sep in filename:
+ raise NotFound()
+ if os.path.isabs(filename) or filename.startswith('../'):
raise NotFound()
filename = os.path.join(directory, filename)
if not os.path.isfile(filename):

0 comments on commit ed70b42

Please sign in to comment.
Something went wrong with that request. Please try again.