Extra safety for safe_join. Does not look exploitable but better safe than sorry. Fixes #501

flask/helpers.py

@@ -604,7 +604,9 @@ def safe_join(directory, filename):
     for sep in _os_alt_seps:
         if sep in filename:
             raise NotFound()
-    if os.path.isabs(filename) or filename.startswith('../'):
+    if os.path.isabs(filename) or \
+       filename == '..' or \
+       filename.startswith('../'):
         raise NotFound()
     return os.path.join(directory, filename)
 

flask/testsuite/regression.py

@@ -17,6 +17,7 @@ import flask
 import threading
 import unittest
 from werkzeug.test import run_wsgi_app, create_environ
+from werkzeug.exceptions import NotFound
 from flask.testsuite import FlaskTestCase
 
 
@@ -79,6 +80,11 @@ class MemoryTestCase(FlaskTestCase):
                 for x in xrange(10):
                     fire()
 
+    def test_safe_join_toplevel_pardir(self):
+        from flask.helpers import safe_join
+        with self.assert_raises(NotFound):
+            safe_join('/foo', '..')
+
 
 def suite():
     suite = unittest.TestSuite()