playground
/
flask
mirror of https://github.com/mitsuhiko/flask.git
1
0
Fork 0
Code Issues Releases Activity
Browse Source

Remove bad security advice about send_file. 

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
pull/1346/head
Edward Z. Yang 10 years ago
parent
f0b4b99930
commit
29f7c10a5d
1 changed files with 2 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      flask/helpers.py

8
flask/helpers.py
Unescape View File

@ -427,12 +427,8 @@ def send_file(filename_or_fp, mimetype=None, as_attachment=False,
guessing requires a `filename` or an `attachment_filename` to be
provided.
Please never pass filenames to this function from user sources without
checking them first. Something like this is usually sufficient to
avoid security problems::
if '..' in filename or filename.startswith('/'):
abort(404)
Please never pass filenames to this function from user sources;
you should use :func:`send_from_directory` instead.
.. versionadded:: 0.2

Write Preview
Loading…
Cancel
Save