From 3afcbf160eff2a5ab6ac35a82e0719f972df8972 Mon Sep 17 00:00:00 2001 From: Armin Ronacher Date: Sun, 7 Oct 2012 22:58:41 +0200 Subject: [PATCH] Extra safety for safe_join. Does not look exploitable but better safe than sorry. Fixes #501 --- flask/helpers.py | 4 +++- flask/testsuite/regression.py | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/flask/helpers.py b/flask/helpers.py index 9491ac55..9bcb22bb 100644 --- a/flask/helpers.py +++ b/flask/helpers.py @@ -604,7 +604,9 @@ def safe_join(directory, filename): for sep in _os_alt_seps: if sep in filename: raise NotFound() - if os.path.isabs(filename) or filename.startswith('../'): + if os.path.isabs(filename) or \ + filename == '..' or \ + filename.startswith('../'): raise NotFound() return os.path.join(directory, filename) diff --git a/flask/testsuite/regression.py b/flask/testsuite/regression.py index bc37afc4..87a6289b 100644 --- a/flask/testsuite/regression.py +++ b/flask/testsuite/regression.py @@ -17,6 +17,7 @@ import flask import threading import unittest from werkzeug.test import run_wsgi_app, create_environ +from werkzeug.exceptions import NotFound from flask.testsuite import FlaskTestCase @@ -79,6 +80,11 @@ class MemoryTestCase(FlaskTestCase): for x in xrange(10): fire() + def test_safe_join_toplevel_pardir(self): + from flask.helpers import safe_join + with self.assert_raises(NotFound): + safe_join('/foo', '..') + def suite(): suite = unittest.TestSuite()