Commits

Armin Ronacher committed 3afcbf1

Extra safety for safe_join. Does not look exploitable but better safe than sorry. Fixes #501

Comments (0)

Files changed (2)

     for sep in _os_alt_seps:
         if sep in filename:
             raise NotFound()
-    if os.path.isabs(filename) or filename.startswith('../'):
+    if os.path.isabs(filename) or \
+       filename == '..' or \
+       filename.startswith('../'):
         raise NotFound()
     return os.path.join(directory, filename)
 

flask/testsuite/regression.py

 import threading
 import unittest
 from werkzeug.test import run_wsgi_app, create_environ
+from werkzeug.exceptions import NotFound
 from flask.testsuite import FlaskTestCase
 
 
                 for x in xrange(10):
                     fire()
 
+    def test_safe_join_toplevel_pardir(self):
+        from flask.helpers import safe_join
+        with self.assert_raises(NotFound):
+            safe_join('/foo', '..')
+
 
 def suite():
     suite = unittest.TestSuite()