on my system I am trying to run a flask app with minimum permissions. In this case, it is run as:
sudo -u nobody python flask_webapp.py
all the files in its directory are readable by everyone, but some parent directories are not. The app fails whenever I try to serve up a file, either indirectly by trying to access http://myapp.com/static/test.html, or directly by the following code:
The problem is, flask converts all relative paths to absolute paths in the send_file function. This breaks if it doesn't have directory read access all the way to the system root.
The problem seems to arise from the following lines, 543 to 545 of helpers.py
if filename is not None:
if not os.path.isabs(filename):
filename = os.path.join(current_app.root_path, filename)
I should imagine any webserver would have issues serving files "behind" an inaccessible directory in an absolute path. Many web-applications would have issues with this, too. I would humbly argue that this is a workspace setup issue.
You don't need "read" access all the way to /, but rather "recurse" access (0751 or o+x) which keep things safe while allowing traversal onward from /.
If you're still unsure about this, what sort of solutions can be implemented? What implications would the solutions have (other than allowing for arguably "bad practices")?
Meanwhile, see this maybe http://flask.pocoo.org/mailinglist/archive/2010/7/18/specify-flask-root-path/ (which is a bit out of date)
Also look into here https://github.com/mitsuhiko/flask/blob/master/flask/app.py#L597
Or you could pass in a file pointer as in send_file( open( 'static/text.html', 'rb' ) ) and have that read directly.
send_file( open( 'static/text.html', 'rb' ) )
The current working directory is not reliable in WSGI, Flask has to convert it to absolute paths.