Skip to content

Commit

Permalink
Merge commit from fork
Browse files Browse the repository at this point in the history
catch special absolute path on Windows Python < 3.11
  • Loading branch information
davidism authored Oct 25, 2024
2 parents 50cfeeb + 87cc78a commit 2767bcb
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 6 deletions.
3 changes: 3 additions & 0 deletions CHANGES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ Unreleased
- Fix how ``max_form_memory_size`` is applied when parsing large non-file
fields. :ghsa:`q34m-jh98-gwm2`

- ``safe_join`` catches certain paths on Windows that were not caught by
``ntpath.isabs`` on Python < 3.11. :ghsa:`f9vj-2wh5-fj8j`


Version 3.0.5
-------------
Expand Down
2 changes: 2 additions & 0 deletions src/werkzeug/security.py
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,8 @@ def safe_join(directory: str, *pathnames: str) -> str | None:
if (
any(sep in filename for sep in _os_alt_seps)
or os.path.isabs(filename)
# ntpath.isabs doesn't catch this on Python < 3.11
or filename.startswith("/")
or filename == ".."
or filename.startswith("../")
):
Expand Down
17 changes: 11 additions & 6 deletions tests/test_security.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
import os
import posixpath
import sys

import pytest
Expand Down Expand Up @@ -47,11 +46,17 @@ def test_invalid_method():
generate_password_hash("secret", "sha256")


def test_safe_join():
assert safe_join("foo", "bar/baz") == posixpath.join("foo", "bar/baz")
assert safe_join("foo", "../bar/baz") is None
if os.name == "nt":
assert safe_join("foo", "foo\\bar") is None
@pytest.mark.parametrize(
("path", "expect"),
[
("b/c", "a/b/c"),
("../b/c", None),
("b\\c", None if os.name == "nt" else "a/b\\c"),
("//b/c", None),
],
)
def test_safe_join(path, expect):
assert safe_join("a", path) == expect


def test_safe_join_os_sep():
Expand Down

0 comments on commit 2767bcb

Please sign in to comment.