Browse Source

Raise BadRequest if static file name is invalid

* Raise BadRequest if static file name is invalid

* Clean up syntax a bit

* Remove unnecessary close()
pull/1631/head
David Hou 9 years ago committed by Markus Unterwaditzer
parent
commit
9f1be8e795
  1. 5
      flask/helpers.py
  2. 9
      tests/test_helpers.py

5
flask/helpers.py

@ -27,7 +27,7 @@ except ImportError:
from urlparse import quote as url_quote
from werkzeug.datastructures import Headers
from werkzeug.exceptions import NotFound
from werkzeug.exceptions import BadRequest, NotFound
# this was moved in 0.7
try:
@ -618,8 +618,11 @@ def send_from_directory(directory, filename, **options):
filename = safe_join(directory, filename)
if not os.path.isabs(filename):
filename = os.path.join(current_app.root_path, filename)
try:
if not os.path.isfile(filename):
raise NotFound()
except (TypeError, ValueError):
raise BadRequest()
options.setdefault('conditional', True)
return send_file(filename, **options)

9
tests/test_helpers.py

@ -15,6 +15,7 @@ import os
import datetime
import flask
from logging import StreamHandler
from werkzeug.exceptions import BadRequest
from werkzeug.http import parse_cache_control_header, parse_options_header
from werkzeug.http import http_date
from flask._compat import StringIO, text_type
@ -504,6 +505,14 @@ class TestSendfile(object):
assert rv.data.strip() == b'Hello Subdomain'
rv.close()
def test_send_from_directory_bad_request(self):
app = flask.Flask(__name__)
app.testing = True
app.root_path = os.path.join(os.path.dirname(__file__),
'test_apps', 'subdomaintestmodule')
with app.test_request_context():
with pytest.raises(BadRequest):
flask.send_from_directory('static', 'bad\x00')
class TestLogging(object):

Loading…
Cancel
Save