|
|
@ -563,8 +563,9 @@ def send_file(filename_or_fp, mimetype=None, as_attachment=False, |
|
|
|
return rv |
|
|
|
return rv |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def safe_join(directory, filename): |
|
|
|
def safe_join(directory, *pathnames): |
|
|
|
"""Safely join `directory` and `filename`. |
|
|
|
"""Safely join `directory` and zero or more untrusted `pathnames` |
|
|
|
|
|
|
|
components. |
|
|
|
|
|
|
|
|
|
|
|
Example usage:: |
|
|
|
Example usage:: |
|
|
|
|
|
|
|
|
|
|
@ -574,11 +575,13 @@ def safe_join(directory, filename): |
|
|
|
with open(filename, 'rb') as fd: |
|
|
|
with open(filename, 'rb') as fd: |
|
|
|
content = fd.read() # Read and process the file content... |
|
|
|
content = fd.read() # Read and process the file content... |
|
|
|
|
|
|
|
|
|
|
|
:param directory: the base directory. |
|
|
|
:param directory: the trusted base directory. |
|
|
|
:param filename: the untrusted filename relative to that directory. |
|
|
|
:param pathnames: the untrusted pathnames relative to that directory. |
|
|
|
:raises: :class:`~werkzeug.exceptions.NotFound` if the resulting path |
|
|
|
:raises: :class:`~werkzeug.exceptions.NotFound` if one or more passed |
|
|
|
would fall out of `directory`. |
|
|
|
paths fall out of its boundaries. |
|
|
|
""" |
|
|
|
""" |
|
|
|
|
|
|
|
for filename in pathnames: |
|
|
|
|
|
|
|
if filename != '': |
|
|
|
filename = posixpath.normpath(filename) |
|
|
|
filename = posixpath.normpath(filename) |
|
|
|
for sep in _os_alt_seps: |
|
|
|
for sep in _os_alt_seps: |
|
|
|
if sep in filename: |
|
|
|
if sep in filename: |
|
|
@ -587,7 +590,8 @@ def safe_join(directory, filename): |
|
|
|
filename == '..' or \ |
|
|
|
filename == '..' or \ |
|
|
|
filename.startswith('../'): |
|
|
|
filename.startswith('../'): |
|
|
|
raise NotFound() |
|
|
|
raise NotFound() |
|
|
|
return os.path.join(directory, filename) |
|
|
|
directory = os.path.join(directory, filename) |
|
|
|
|
|
|
|
return directory |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def send_from_directory(directory, filename, **options): |
|
|
|
def send_from_directory(directory, filename, **options): |
|
|
|