fixed possible security problem in module branch

flask/helpers.py

@@ -29,6 +29,7 @@ except ImportError:
         json_available = False
 
 from werkzeug import Headers, wrap_file, is_resource_modified, cached_property
+from werkzeug.exceptions import NotFound
 
 from jinja2 import FileSystemLoader
 
@@ -334,7 +335,7 @@ class _PackageBoundObject(object):
         .. versionadded:: 0.5
         """
         filename = posixpath.normpath(filename)
-        if filename.startswith('../'):
+        if filename.startswith(('/', '../')):
             raise NotFound()
         filename = os.path.join(self.root_path, 'static', filename)
         if not os.path.isfile(filename):

tests/flask_tests.py

@@ -20,6 +20,7 @@ from logging import StreamHandler
 from contextlib import contextmanager
 from datetime import datetime
 from werkzeug import parse_date, parse_options_header
+from werkzeug.exceptions import NotFound
 from cStringIO import StringIO
 
 example_path = os.path.join(os.path.dirname(__file__), '..', 'examples')
@@ -645,6 +646,25 @@ class ModuleTestCase(unittest.TestCase):
             assert flask.url_for('admin.static', filename='test.txt') \
                 == '/admin/static/test.txt'
 
+    def test_safe_access(self):
+        from moduleapp import app
+
+        with app.test_request_context():
+            f = app.view_functions['admin.static']
+
+            try:
+                rv = f('/etc/passwd')
+            except NotFound:
+                pass
+            else:
+                assert 0, 'expected exception'
+            try:
+                rv = f('../__init__.py')
+            except NotFound:
+                pass
+            else:
+                assert 0, 'expected exception'
+
 
 class SendfileTestCase(unittest.TestCase):