revi-archive/xygt
1
0
Fork 0
mirror of https://github.com/jackeilles/xygt.git synced 2024-11-09 16:32:37 +01:00
Code Issues Projects Releases Packages Wiki Activity

secure_filename to stop crafted requests fucking with files

Browse source
This commit is contained in:
Jack Eilles 2023-12-21 17:03:03 +00:00
parent df987b400d
commit b390ff1e54
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
app/routes.py
View file

@ -2,6 +2,7 @@ from app import app, worker
from config import Config, Errors
from flask import render_template, request, send_file
from werkzeug.datastructures import FileStorage
from werkzeug.utils import secure_filename
from io import BytesIO
import os
import io
@ -63,7 +64,7 @@ def getData(id):
if Config.files.find_one({"id": id}) is not None:
data = Config.files.find_one({"id": id})
with open(os.path.join(Config.fileDir, id), "rb") as f:
with open(secure_filename(os.path.join(Config.fileDir, id)), "rb") as f:
file = f.read()
# Get MIME type from file, if fails then use magic