Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

safe_join keeps directory="" as relative path #2349

Merged
merged 1 commit into from
Mar 15, 2022
Merged

Conversation

davidism
Copy link
Member

When using send_from_directory, which uses safe_join, if directory="" is given, it was discarded and the first untrusted path component could become the first component if it was a Windows drive-relative path.

@davidism davidism added the security Pull requests that address a security vulnerability label Mar 15, 2022
@davidism davidism added this to the 2.1.0 milestone Mar 15, 2022
@davidism davidism merged commit 365ee7e into main Mar 15, 2022
@davidism davidism deleted the safe_join-empty branch March 15, 2022 22:01
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 30, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant