Permalink
Browse files

Added note on send_file security.

  • Loading branch information...
1 parent 5bb2b55 commit f80e1d3b5ab8e718cc67c814cbfd9aee9c95f45f @mitsuhiko mitsuhiko committed May 11, 2010
Showing with 7 additions and 0 deletions.
  1. +7 −0 flask.py
View
@@ -249,6 +249,13 @@ def send_file(filename_or_fp, mimetype=None, as_attachment=False,
also explicitly provide one. For extra security you probably want
to sent certain files as attachment (HTML for instance).
+ Please never pass filenames to this function from user sources without
+ checking them first. Something like this is usually sufficient to
+ avoid security problems::
+
+ if '..' in filename or filename.startswith('/'):
+ abort(404)
+
.. versionadded:: 0.2
:param filename_or_fp: the filename of the file to send. This is

0 comments on commit f80e1d3

Please sign in to comment.