diff --git a/digits/views.py b/digits/views.py index 54d5fd3ef..e314d3b7c 100644 --- a/digits/views.py +++ b/digits/views.py @@ -233,21 +233,7 @@ def serve_file(path): and this path will never be used """ jobs_dir = config_value('jobs_dir') - path = os.path.normpath(os.path.join(jobs_dir, path)) - - # Don't allow path manipulation - if not os.path.commonprefix([path, jobs_dir]).startswith(jobs_dir): - raise werkzeug.exceptions.Forbidden('Path manipulation not allowed') - - if not os.path.exists(path): - raise werkzeug.exceptions.NotFound('File not found') - if os.path.isdir(path): - raise werkzeug.exceptions.Forbidden('Folder cannot be served') - - with open(path, 'r') as infile: - response = flask.make_response(infile.read()) - response.headers["Content-Disposition"] = "attachment; filename=%s" % os.path.basename(path) - return response + return flask.send_from_directory(jobs_dir, path) ### Path Completion diff --git a/docs/API.md b/docs/API.md index 6f7c07bd2..d268f4b38 100644 --- a/docs/API.md +++ b/docs/API.md @@ -1,6 +1,6 @@ # REST API -*Generated Aug 06, 2015* +*Generated Aug 07, 2015* DIGITS exposes its internal functionality through a REST API. You can access these endpoints by performing a GET or POST on the route, and a JSON object will be returned. diff --git a/docs/FlaskRoutes.md b/docs/FlaskRoutes.md index 2a117abd8..c747515c1 100644 --- a/docs/FlaskRoutes.md +++ b/docs/FlaskRoutes.md @@ -1,6 +1,6 @@ # Flask Routes -*Generated Aug 06, 2015* +*Generated Aug 07, 2015* Documentation on the various routes used internally for the web application. @@ -406,7 +406,7 @@ Location: [`digits/model/views.py@92`](../digits/model/views.py#L92) Methods: **GET** -Location: [`digits/views.py@255`](../digits/views.py#L255) +Location: [`digits/views.py@241`](../digits/views.py#L241) ### `/files/`