From 9f1be8e795ace494018689c87d8a5e5601313e4d Mon Sep 17 00:00:00 2001 From: David Hou Date: Sat, 2 Apr 2016 12:07:27 -0700 Subject: [PATCH] Raise BadRequest if static file name is invalid * Raise BadRequest if static file name is invalid * Clean up syntax a bit * Remove unnecessary close() --- flask/helpers.py | 9 ++++++--- tests/test_helpers.py | 9 +++++++++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/flask/helpers.py b/flask/helpers.py index a7d8f97c..02e99e37 100644 --- a/flask/helpers.py +++ b/flask/helpers.py @@ -27,7 +27,7 @@ except ImportError: from urlparse import quote as url_quote from werkzeug.datastructures import Headers -from werkzeug.exceptions import NotFound +from werkzeug.exceptions import BadRequest, NotFound # this was moved in 0.7 try: @@ -618,8 +618,11 @@ def send_from_directory(directory, filename, **options): filename = safe_join(directory, filename) if not os.path.isabs(filename): filename = os.path.join(current_app.root_path, filename) - if not os.path.isfile(filename): - raise NotFound() + try: + if not os.path.isfile(filename): + raise NotFound() + except (TypeError, ValueError): + raise BadRequest() options.setdefault('conditional', True) return send_file(filename, **options) diff --git a/tests/test_helpers.py b/tests/test_helpers.py index 2fe2ead5..5605c45d 100644 --- a/tests/test_helpers.py +++ b/tests/test_helpers.py @@ -15,6 +15,7 @@ import os import datetime import flask from logging import StreamHandler +from werkzeug.exceptions import BadRequest from werkzeug.http import parse_cache_control_header, parse_options_header from werkzeug.http import http_date from flask._compat import StringIO, text_type @@ -504,6 +505,14 @@ class TestSendfile(object): assert rv.data.strip() == b'Hello Subdomain' rv.close() + def test_send_from_directory_bad_request(self): + app = flask.Flask(__name__) + app.testing = True + app.root_path = os.path.join(os.path.dirname(__file__), + 'test_apps', 'subdomaintestmodule') + with app.test_request_context(): + with pytest.raises(BadRequest): + flask.send_from_directory('static', 'bad\x00') class TestLogging(object):