From 29f7c10a5dea499f64188e29a4e08161dbf14eff Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <ezyang@cs.stanford.edu>
Date: Sat, 7 Feb 2015 15:06:48 -0800
Subject: [PATCH] Remove bad security advice about send_file.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
---
 flask/helpers.py | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/flask/helpers.py b/flask/helpers.py
index 080ea899..a78cb18e 100644
--- a/flask/helpers.py
+++ b/flask/helpers.py
@@ -427,12 +427,8 @@ def send_file(filename_or_fp, mimetype=None, as_attachment=False,
     guessing requires a `filename` or an `attachment_filename` to be
     provided.
 
-    Please never pass filenames to this function from user sources without
-    checking them first.  Something like this is usually sufficient to
-    avoid security problems::
-
-        if '..' in filename or filename.startswith('/'):
-            abort(404)
+    Please never pass filenames to this function from user sources;
+    you should use :func:`send_from_directory` instead.
 
     .. versionadded:: 0.2