From ed70b42798a31bce951917ff22b996c810e2c3a9 Mon Sep 17 00:00:00 2001
From: Armin Ronacher <armin.ronacher@active-4.com>
Date: Thu, 23 Dec 2010 14:15:18 +0100
Subject: [PATCH] Make sure that windows servers do not allow downloading
 arbitrary files

---
 flask/helpers.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/flask/helpers.py b/flask/helpers.py
index 33aa7ee2..a783dc12 100644
--- a/flask/helpers.py
+++ b/flask/helpers.py
@@ -58,6 +58,13 @@ else:
     _tojson_filter = json.dumps
 
 
+# what separators does this operating system provide that are not a slash?
+# this is used by the send_from_directory function to ensure that nobody is
+# able to access files from outside the filesystem.
+_os_alt_seps = list(sep for sep in [os.path.sep, os.path.altsep]
+                    if sep not in (None, '/'))
+
+
 def _endpoint_from_view_func(view_func):
     """Internal helper that returns the default endpoint for a given
     function.  This always is the function name.
@@ -413,7 +420,10 @@ def send_from_directory(directory, filename, **options):
                     forwarded to :func:`send_file`.
     """
     filename = posixpath.normpath(filename)
-    if filename.startswith(('/', '../')):
+    for sep in _os_alt_seps:
+        if sep in filename:
+            raise NotFound()
+    if os.path.isabs(filename) or filename.startswith('../'):
         raise NotFound()
     filename = os.path.join(directory, filename)
     if not os.path.isfile(filename):