mirror of
https://github.com/jackeilles/xygt.git
synced 2024-11-21 14:22:39 +01:00
secure_filename to stop crafted requests fucking with files
This commit is contained in:
parent
df987b400d
commit
b390ff1e54
1 changed files with 2 additions and 1 deletions
|
@ -2,6 +2,7 @@ from app import app, worker
|
|||
from config import Config, Errors
|
||||
from flask import render_template, request, send_file
|
||||
from werkzeug.datastructures import FileStorage
|
||||
from werkzeug.utils import secure_filename
|
||||
from io import BytesIO
|
||||
import os
|
||||
import io
|
||||
|
@ -63,7 +64,7 @@ def getData(id):
|
|||
if Config.files.find_one({"id": id}) is not None:
|
||||
data = Config.files.find_one({"id": id})
|
||||
|
||||
with open(os.path.join(Config.fileDir, id), "rb") as f:
|
||||
with open(secure_filename(os.path.join(Config.fileDir, id)), "rb") as f:
|
||||
file = f.read()
|
||||
|
||||
# Get MIME type from file, if fails then use magic
|
||||
|
|
Loading…
Reference in a new issue