Skip to content

Commit

Permalink
Raise BadRequest if static file name is invalid
Browse files Browse the repository at this point in the history
  • Loading branch information
chaosagent committed Apr 1, 2016
1 parent da0ebb9 commit b4dd92d
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 3 deletions.
11 changes: 8 additions & 3 deletions flask/helpers.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
from urlparse import quote as url_quote

from werkzeug.datastructures import Headers
from werkzeug.exceptions import NotFound
from werkzeug.exceptions import BadRequest, NotFound

# this was moved in 0.7
try:
Expand Down Expand Up @@ -618,8 +618,13 @@ def download_file(filename):
filename = safe_join(directory, filename)
if not os.path.isabs(filename):
filename = os.path.join(current_app.root_path, filename)
if not os.path.isfile(filename):
raise NotFound()
try:
if not os.path.isfile(filename):
raise NotFound()
except TypeError:
raise BadRequest()
except ValueError:
raise BadRequest()
options.setdefault('conditional', True)
return send_file(filename, **options)

Expand Down
13 changes: 13 additions & 0 deletions tests/test_helpers.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
import datetime
import flask
from logging import StreamHandler
from werkzeug.exceptions import BadRequest
from werkzeug.http import parse_cache_control_header, parse_options_header
from werkzeug.http import http_date
from flask._compat import StringIO, text_type
Expand Down Expand Up @@ -504,6 +505,18 @@ def test_send_from_directory(self):
assert rv.data.strip() == b'Hello Subdomain'
rv.close()

def test_send_from_directory_bad_request(self):
app = flask.Flask(__name__)
app.testing = True
app.root_path = os.path.join(os.path.dirname(__file__),
'test_apps', 'subdomaintestmodule')
with app.test_request_context():
try:
rv = flask.send_from_directory('static', 'bad\x00')
rv.close()
assert False
except BadRequest:
pass

class TestLogging(object):

Expand Down

0 comments on commit b4dd92d

Please sign in to comment.