Browse files

Extra safety for safe_join. Does not look exploitable but better safe…

… than sorry. Fixes #501
  • Loading branch information...
1 parent f701f69 commit 3afcbf160eff2a5ab6ac35a82e0719f972df8972 @mitsuhiko mitsuhiko committed Oct 7, 2012
Showing with 9 additions and 1 deletion.
  1. +3 −1 flask/helpers.py
  2. +6 −0 flask/testsuite/regression.py
View
4 flask/helpers.py
@@ -604,7 +604,9 @@ def wiki_page(filename):
for sep in _os_alt_seps:
if sep in filename:
raise NotFound()
- if os.path.isabs(filename) or filename.startswith('../'):
+ if os.path.isabs(filename) or \
+ filename == '..' or \
+ filename.startswith('../'):
raise NotFound()
return os.path.join(directory, filename)
View
6 flask/testsuite/regression.py
@@ -17,6 +17,7 @@
import threading
import unittest
from werkzeug.test import run_wsgi_app, create_environ
+from werkzeug.exceptions import NotFound
from flask.testsuite import FlaskTestCase
@@ -79,6 +80,11 @@ def fire():
for x in xrange(10):
fire()
+ def test_safe_join_toplevel_pardir(self):
+ from flask.helpers import safe_join
+ with self.assert_raises(NotFound):
+ safe_join('/foo', '..')
+
def suite():
suite = unittest.TestSuite()

0 comments on commit 3afcbf1

Please sign in to comment.