TonBERRY/microdot
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Document a security risk in the send_file function

Browse Source
This commit is contained in:
Miguel Grinberg
2021-09-28 17:15:07 +01:00
parent 8e5fb92ff1
commit d29ed6aaa1
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/microdot.py
View File

@@ -444,6 +444,10 @@ class Response():
:param content_type: The ``Content-Type`` header to use in the :param content_type: The ``Content-Type`` header to use in the
response. If omitted, it is generated response. If omitted, it is generated
automatically from the file extension. automatically from the file extension.
Security note: The filename is assumed to be trusted. Never pass
filenames provided by the user before validating and sanitizing them
first.
""" """
if content_type is None: if content_type is None:
ext = filename.split('.')[-1] ext = filename.split('.')[-1]