send_file breaks when flask app run as nobody #633

ernwa opened this Issue Nov 12, 2012 · 2 comments


None yet
3 participants

ernwa commented Nov 12, 2012

on my system I am trying to run a flask app with minimum permissions. In this case, it is run as:

sudo -u nobody python

all the files in its directory are readable by everyone, but some parent directories are not. The app fails whenever I try to serve up a file, either indirectly by trying to access, or directly by the following code:

def web_app():
    return send_file("./static/test.html")

The problem is, flask converts all relative paths to absolute paths in the send_file function. This breaks if it doesn't have directory read access all the way to the system root.

The problem seems to arise from the following lines, 543 to 545 of

if filename is not None:
    if not os.path.isabs(filename):
        filename = os.path.join(current_app.root_path, filename)

soulseekah commented Nov 13, 2012

I should imagine any webserver would have issues serving files "behind" an inaccessible directory in an absolute path. Many web-applications would have issues with this, too. I would humbly argue that this is a workspace setup issue.

You don't need "read" access all the way to /, but rather "recurse" access (0751 or o+x) which keep things safe while allowing traversal onward from /.

If you're still unsure about this, what sort of solutions can be implemented? What implications would the solutions have (other than allowing for arguably "bad practices")?

Meanwhile, see this maybe (which is a bit out of date)
Also look into here
Or you could pass in a file pointer as in send_file( open( 'static/text.html', 'rb' ) ) and have that read directly.


mitsuhiko commented Jan 27, 2013

The current working directory is not reliable in WSGI, Flask has to convert it to absolute paths.

mitsuhiko closed this Jan 27, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment