From fba164d4f4682cef7fe5dd69dc5c3e3ce463904a Mon Sep 17 00:00:00 2001
From: Abubakar Abid <a12d@stanford.edu>
Date: Tue, 14 Dec 2021 12:32:33 -0600
Subject: [PATCH 1/5] Create SECURITY.md

---
 SECURITY.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..9840c65f5c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 2.x   | :white_check_mark: |
+
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, we would be very grateful if you could email us at team@gradio.app. This is the preferred approach instead of opening a public issue. We take all vulnerability reports seriously, and will work to patch the vulnerability immediately. Whenever possible, we will credit the person or people who report the security vulnerabilities after it has been patched.

From 0b2c4901a63b2e5a7d7b3964d27b8f82d6d330e1 Mon Sep 17 00:00:00 2001
From: Ali Abid <ali.abid@gradio.app>
Date: Tue, 14 Dec 2021 18:57:16 +0000
Subject: [PATCH 2/5] updated PyPi version

---
 gradio.egg-info/PKG-INFO | 2 +-
 gradio/version.txt       | 2 +-
 setup.py                 | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/gradio.egg-info/PKG-INFO b/gradio.egg-info/PKG-INFO
index 6361cdd5ec..5ac3e41241 100644
--- a/gradio.egg-info/PKG-INFO
+++ b/gradio.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 1.0
 Name: gradio
-Version: 2.4.7b9
+Version: 2.5.0
 Summary: Python library for easily interacting with trained machine learning models
 Home-page: https://github.com/gradio-app/gradio-UI
 Author: Abubakar Abid
diff --git a/gradio/version.txt b/gradio/version.txt
index 7ea4b014fa..437459cd94 100644
--- a/gradio/version.txt
+++ b/gradio/version.txt
@@ -1 +1 @@
-2.4.7b9
+2.5.0
diff --git a/setup.py b/setup.py
index 18d4e53288..c99e499c65 100644
--- a/setup.py
+++ b/setup.py
@@ -5,7 +5,7 @@ except ImportError:
 
 setup(
     name='gradio',
-    version='2.4.7b9',
+    version='2.5.0',
     include_package_data=True,
     description='Python library for easily interacting with trained machine learning models',
     author='Abubakar Abid',

From 41bd3645bdb616e1248b2167ca83636a2653f781 Mon Sep 17 00:00:00 2001
From: Ali Abid <you@example.comgit>
Date: Tue, 14 Dec 2021 21:01:55 +0000
Subject: [PATCH 3/5] secure path hotfix

---
 gradio/networking.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/gradio/networking.py b/gradio/networking.py
index 0a97281692..18017249cf 100644
--- a/gradio/networking.py
+++ b/gradio/networking.py
@@ -377,15 +377,14 @@ def interpret():
 @app.route("/file/<path:path>", methods=["GET"])
 @login_check
 def file(path):
-    path = secure_filename(path)
     if app.interface.encrypt and isinstance(app.interface.examples, str) and path.startswith(app.interface.examples):
-        with open(os.path.join(app.cwd, path), "rb") as encrypted_file:
+        with open(safe_join(app.cwd, path), "rb") as encrypted_file:
             encrypted_data = encrypted_file.read()
         file_data = encryptor.decrypt(
             app.interface.encryption_key, encrypted_data)
         return send_file(io.BytesIO(file_data), attachment_filename=os.path.basename(path))
     else:
-        return send_file(os.path.join(app.cwd, path))
+        return send_file(safe_join(app.cwd, path))
 
 
 @app.route("/api/queue/push/", methods=["POST"])

From a7a453602fa9f38d286f81df87c6b4b5dd9c5dd0 Mon Sep 17 00:00:00 2001
From: Ali Abid <ali.abid@gradio.app>
Date: Tue, 14 Dec 2021 21:02:26 +0000
Subject: [PATCH 4/5] updated PyPi version

---
 gradio.egg-info/PKG-INFO | 2 +-
 setup.py                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/gradio.egg-info/PKG-INFO b/gradio.egg-info/PKG-INFO
index 5ac3e41241..2e1d8ed1a7 100644
--- a/gradio.egg-info/PKG-INFO
+++ b/gradio.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 1.0
 Name: gradio
-Version: 2.5.0
+Version: 2.5.1
 Summary: Python library for easily interacting with trained machine learning models
 Home-page: https://github.com/gradio-app/gradio-UI
 Author: Abubakar Abid
diff --git a/setup.py b/setup.py
index c99e499c65..66e443d665 100644
--- a/setup.py
+++ b/setup.py
@@ -5,7 +5,7 @@ except ImportError:
 
 setup(
     name='gradio',
-    version='2.5.0',
+    version='2.5.1',
     include_package_data=True,
     description='Python library for easily interacting with trained machine learning models',
     author='Abubakar Abid',

From 160a0379890d33f948ae165f406fb7c6fcad1c9b Mon Sep 17 00:00:00 2001
From: Abubakar Abid <a12d@stanford.edu>
Date: Tue, 14 Dec 2021 17:05:02 -0600
Subject: [PATCH 5/5] added test for checking if static files are served safely

---
 test/test_networking.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/test/test_networking.py b/test/test_networking.py
index 6afd176723..4adc7c3d9f 100644
--- a/test/test_networking.py
+++ b/test/test_networking.py
@@ -71,6 +71,11 @@ class TestFlaskRoutes(unittest.TestCase):
         response = self.client.get('/api/')
         self.assertEqual(response.status_code, 200)
 
+    def test_static_files_served_safely(self):
+        # Make sure things outside the static folder are not accessible
+        response = self.client.get(r'/static/..%2f..%2fapi_docs.html')
+        self.assertEqual(response.status_code, 500)
+
     def test_get_config_route(self):
         response = self.client.get('/config/')
         self.assertEqual(response.status_code, 200)