I'm using werkzeug's utils.send_from_directory() function to send a file with a multilevel "path" value. For example, my call to send_from_directory() might look like:
The call to safe_join is rejected because the subpath contains a \ character, which is included in the list of _os_alt_seps (defined in security.py) to mark it as "insecure".
This seems incorrect. Why is the separator / manually ignored from the _os_alt_seps definition in line 13, but not \? It's important to note that I'm running on Windows, and \ is the default path separator. I believe that a single slash \ in the path to join in should not be considered an "unsafe" access - but correct me if this is an incorrect assumption.
I'm using werkzeug's
utils.send_from_directory()
function to send a file with a multilevel "path" value. For example, my call tosend_from_directory()
might look like:In this case,
send_from_directory
returns a404 NotFound
, since the call tosafe_join
in line 564 returns None.The call to
safe_join
is rejected because the subpath contains a\
character, which is included in the list of_os_alt_seps
(defined in security.py) to mark it as "insecure".This seems incorrect. Why is the separator
/
manually ignored from the_os_alt_seps
definition in line 13, but not\
? It's important to note that I'm running on Windows, and\
is the default path separator. I believe that a single slash\
in the path to join in should not be considered an "unsafe" access - but correct me if this is an incorrect assumption.