From f80e1d3b5ab8e718cc67c814cbfd9aee9c95f45f Mon Sep 17 00:00:00 2001
From: Armin Ronacher <armin.ronacher@active-4.com>
Date: Wed, 12 May 2010 01:02:20 +0200
Subject: [PATCH] Added note on send_file security.

---
 flask.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/flask.py b/flask.py
index 3d1a8b7b..ac33ba49 100644
--- a/flask.py
+++ b/flask.py
@@ -249,6 +249,13 @@ def send_file(filename_or_fp, mimetype=None, as_attachment=False,
     also explicitly provide one.  For extra security you probably want
     to sent certain files as attachment (HTML for instance).
 
+    Please never pass filenames to this function from user sources without
+    checking them first.  Something like this is usually sufficient to
+    avoid security problems::
+
+        if '..' in filename or filename.startswith('/'):
+            abort(404)
+
     .. versionadded:: 0.2
 
     :param filename_or_fp: the filename of the file to send.  This is