How can I securely pass an arbitrarily deep path to a webapp (Flask, in this case)? How can I securely pass an arbitrarily deep path to a webapp (Flask, in this case)? flask flask

How can I securely pass an arbitrarily deep path to a webapp (Flask, in this case)?


python web-applications flask werkzeug

For situations like this Flask has safe_join which raises 404 if a user attempts to leave the path:

>>> safe_join('/foo/bar', 'test')'/foo/bar/test'>>> safe_join('/foo/bar', 'test/../other_test')'/foo/bar/other_test'>>> safe_join('/foo/bar', 'test/../../../etc/htpassw')Traceback (most recent call last):  File "<stdin>", line 1, in <module>  File "/Users/mitsuhiko/Development/flask/flask/helpers.py", line 432, in safe_join    raise NotFound()werkzeug.exceptions.NotFound: 404: Not Found

python web-applications flask werkzeug

You can use werkzeug.routing.PathConverter to handle arbitrary paths like so:

from flask import Flaskapp = Flask(__name__)@app.route("/arbitrary/<path:my_path>")def arbitrary_path(my_path):    return my_pathif __name__ == "__main__":    app.run()

With the oversimplified sample above you can see that if you visit http://127.0.0.1:5000/arbitrary/dir1/dir2/dir3/dir4 it will return dir1/dir2/dir3/dir4 and if you visit http://127.0.0.1:5000/arbitrary/dir1/dir2/dir3/dir4/dir5/dir6/dir7/dir8/dir9/dir10 it will return dir1/dir2/dir3/dir4/dir5/dir6/dir7/dir8/dir9/dir10

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last