Raise BadRequest if static file name is invalid

* Raise BadRequest if static file name is invalid

* Clean up syntax a bit

* Remove unnecessary close()

flask/helpers.py

@@ -27,7 +27,7 @@
     from urlparse import quote as url_quote
 
 from werkzeug.datastructures import Headers
-from werkzeug.exceptions import NotFound
+from werkzeug.exceptions import BadRequest, NotFound
 
 # this was moved in 0.7
 try:
@@ -618,8 +618,11 @@ def download_file(filename):
     filename = safe_join(directory, filename)
     if not os.path.isabs(filename):
         filename = os.path.join(current_app.root_path, filename)
-    if not os.path.isfile(filename):
-        raise NotFound()
+    try:
+        if not os.path.isfile(filename):
+            raise NotFound()
+    except (TypeError, ValueError):
+        raise BadRequest()
     options.setdefault('conditional', True)
     return send_file(filename, **options)
 

tests/test_helpers.py

@@ -15,6 +15,7 @@
 import datetime
 import flask
 from logging import StreamHandler
+from werkzeug.exceptions import BadRequest
 from werkzeug.http import parse_cache_control_header, parse_options_header
 from werkzeug.http import http_date
 from flask._compat import StringIO, text_type
@@ -504,6 +505,14 @@ def test_send_from_directory(self):
             assert rv.data.strip() == b'Hello Subdomain'
             rv.close()
 
+    def test_send_from_directory_bad_request(self):
+        app = flask.Flask(__name__)
+        app.testing = True
+        app.root_path = os.path.join(os.path.dirname(__file__),
+                                     'test_apps', 'subdomaintestmodule')
+        with app.test_request_context():
+            with pytest.raises(BadRequest):
+                flask.send_from_directory('static', 'bad\x00')
 
 class TestLogging(object):