file_name = request.path_params["file"]file = open(file_name, "rb")mime_type =

1. file_name = request.path_params["file"]
2. file = open(file_name, "rb")
3. mime_type = mimetypes.guess_type(file_name)[0]
4. start_response(status.OK, [('Content-Type', mime_type)])
5. return file
6.  
7. file_name = request.path_params["file"]
8. absolute_path = os.path.join(self.base_directory, file_name)
9. normalized_path = os.path.normpath(absolute_path)
10.  
11. # security check to prevent directory traversal
12. if not normalized_path.startswith(self.base_directory):
13. raise IOError()
14.  
15. file = open(normalized_path, "rb")
16. mime_type = mimetypes.guess_type(normalized_path)[0]
17. start_response(status.OK, [('Content-Type', mime_type)])
18. return file
19.  
20. >>> import os.path
21. >>> os.curdir
22. '.'
23. >>> startdir = os.path.abspath(os.curdir)
24. >>> startdir
25. '/home/jterrace'
26.  
27. >>> filename = "/etc/passwd"
28. >>> requested_path = os.path.relpath(filename, startdir)
29. >>> requested_path
30. '../../etc/passwd'
31. >>> requested_path = os.path.abspath(requested_path)
32. >>> requested_path
33. '/etc/passwd'
34.  
35. >>> os.path.commonprefix([requested_path, startdir])
36. '/'
37.  
38. file_name = request.path_params["file"]
39. file_name = os.path.basename(file_name)
40. file = open(os.path.join("/path", file_name), "rb")
41.  
42. >>> os.path.basename('../../filename')
43. 'filename'