Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

safe_join with '..' #501

Closed
SimonSapin opened this Issue Apr 24, 2012 · 1 comment

Comments

Projects
None yet
3 participants
Contributor

SimonSapin commented Apr 24, 2012

Is this a problem?

>>> from flask import safe_join
>>> safe_join('/foo', '..')
'/foo/..'

I think it could be if we’re exposing not just files but also directories (maybe making indexes, ...). Should safe_join check for '..' and not just '../' ?

Contributor

RonnyPfannschmidt commented Apr 24, 2012

>>> safe_join('/foo', '..')
'/foo/..'
>>> safe_join('/foo', '../..')
Traceback (most recent call last):
  File "<input>", line 1, in <module>
  File "/home/ronny/Projects/pocoo/flask/flask/helpers.py", line 521, in safe_join
    raise NotFound()
NotFound: 404: Not Found

so think stuff is fine

@mitsuhiko mitsuhiko closed this in 3afcbf1 Oct 8, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment