|
|
|
@ -427,12 +427,8 @@ def send_file(filename_or_fp, mimetype=None, as_attachment=False, |
|
|
|
guessing requires a `filename` or an `attachment_filename` to be |
|
|
|
guessing requires a `filename` or an `attachment_filename` to be |
|
|
|
provided. |
|
|
|
provided. |
|
|
|
|
|
|
|
|
|
|
|
Please never pass filenames to this function from user sources without |
|
|
|
Please never pass filenames to this function from user sources; |
|
|
|
checking them first. Something like this is usually sufficient to |
|
|
|
you should use :func:`send_from_directory` instead. |
|
|
|
avoid security problems:: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if '..' in filename or filename.startswith('/'): |
|
|
|
|
|
|
|
abort(404) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.. versionadded:: 0.2 |
|
|
|
.. versionadded:: 0.2 |
|
|
|
|
|
|
|
|
|
|
|
|
Edward Z. Yang
10 years ago