From c98abb435e4227e720b2a30774c73360e044478f Mon Sep 17 00:00:00 2001 From: David Carmichael Date: Sat, 7 Sep 2024 12:07:41 +0100 Subject: [PATCH 1/2] update helpers.send_from_directory docstring Update helpers.send_from_directory docstring to match werkzeug.utils.send_from_directory docstring on the :param directory: line. The previous "relative to the current application's root path" is misleading to the actual behavior. --- src/flask/helpers.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/flask/helpers.py b/src/flask/helpers.py index f891eed126..d069e545b2 100644 --- a/src/flask/helpers.py +++ b/src/flask/helpers.py @@ -546,8 +546,8 @@ def download_file(name): If the final path does not point to an existing regular file, raises a 404 :exc:`~werkzeug.exceptions.NotFound` error. - :param directory: The directory that ``path`` must be located under, - relative to the current application's root path. + :param directory: The directory that ``path`` must be located under. This *must not* + be a value provided by the client, otherwise it becomes insecure. :param path: The path to the file to send, relative to ``directory``. :param kwargs: Arguments to pass to :func:`send_file`. From 629fa0ab3e0017150b4edde4f5fbcb0fe9b6d113 Mon Sep 17 00:00:00 2001 From: David <39418842+CheeseCake87@users.noreply.github.com> Date: Wed, 6 Nov 2024 17:46:14 +0000 Subject: [PATCH 2/2] updated to include original wording --- src/flask/helpers.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/flask/helpers.py b/src/flask/helpers.py index d069e545b2..57c8a00054 100644 --- a/src/flask/helpers.py +++ b/src/flask/helpers.py @@ -546,7 +546,8 @@ def download_file(name): If the final path does not point to an existing regular file, raises a 404 :exc:`~werkzeug.exceptions.NotFound` error. - :param directory: The directory that ``path`` must be located under. This *must not* + :param directory: The directory that ``path`` must be located under, + relative to the current application's root path. This *must not* be a value provided by the client, otherwise it becomes insecure. :param path: The path to the file to send, relative to ``directory``.