Document a security risk in the send_file function

2021-09-28 17:15:07 +01:00
parent 8e5fb92ff1
commit d29ed6aaa1
1 changed files with 4 additions and 0 deletions
--- a/src/microdot.py
+++ b/src/microdot.py
@@ -444,6 +444,10 @@ class Response():
        :param content_type: The ``Content-Type`` header to use in the
                             response. If omitted, it is generated
                             automatically from the file extension.
+
+        Security note: The filename is assumed to be trusted. Never pass
+        filenames provided by the user before validating and sanitizing them
+        first.
        """
        if content_type is None:
            ext = filename.split('.')[-1]