Merge branch 'master' into abidlabs/url

2025-01-18 10:44:33 +08:00 · 2021-12-14 18:40:41 -06:00 · 2021-12-14 18:40:41 -06:00 · 9151bff97d
commit 9151bff97d
parent 0abfe9c60d 160a037989
6 changed files with 25 additions and 6 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,15 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 2.x   | :white_check_mark: |
+
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, we would be very grateful if you could email us at team@gradio.app. This is the preferred approach instead of opening a public issue. We take all vulnerability reports seriously, and will work to patch the vulnerability immediately. Whenever possible, we will credit the person or people who report the security vulnerabilities after it has been patched.
--- a/gradio.egg-info/PKG-INFO
+++ b/gradio.egg-info/PKG-INFO
@ -1,6 +1,6 @@
 Metadata-Version: 1.0
 Name: gradio
-Version: 2.4.7b9
+Version: 2.5.1
 Summary: Python library for easily interacting with trained machine learning models
 Home-page: https://github.com/gradio-app/gradio-UI
 Author: Abubakar Abid
--- a/gradio/networking.py
+++ b/gradio/networking.py
@ -377,15 +377,14 @@ def interpret():
@app.route("/file/<path:path>", methods=["GET"])
@login_check
 def file(path):
-    path = secure_filename(path)
    if app.interface.encrypt and isinstance(app.interface.examples, str) and path.startswith(app.interface.examples):
-        with open(os.path.join(app.cwd, path), "rb") as encrypted_file:
+        with open(safe_join(app.cwd, path), "rb") as encrypted_file:
            encrypted_data = encrypted_file.read()
        file_data = encryptor.decrypt(
            app.interface.encryption_key, encrypted_data)
        return send_file(io.BytesIO(file_data), attachment_filename=os.path.basename(path))
    else:
-        return send_file(os.path.join(app.cwd, path))
+        return send_file(safe_join(app.cwd, path))


@app.route("/api/queue/push/", methods=["POST"])
--- a/gradio/version.txt
+++ b/gradio/version.txt
@ -1 +1 @@
-2.4.7b9
+2.5.0
--- a/setup.py
+++ b/setup.py
@ -5,7 +5,7 @@ except ImportError:

 setup(
    name='gradio',
-    version='2.4.7b9',
+    version='2.5.1',
    include_package_data=True,
    description='Python library for easily interacting with trained machine learning models',
    author='Abubakar Abid',
--- a/test/test_networking.py
+++ b/test/test_networking.py
@ -71,6 +71,11 @@ class TestFlaskRoutes(unittest.TestCase):
        response = self.client.get('/api/')
        self.assertEqual(response.status_code, 200)

+    def test_static_files_served_safely(self):
+        # Make sure things outside the static folder are not accessible
+        response = self.client.get(r'/static/..%2f..%2fapi_docs.html')
+        self.assertEqual(response.status_code, 500)
+
    def test_get_config_route(self):
        response = self.client.get('/config/')
        self.assertEqual(response.status_code, 200)
 @ -1 +1 @@
 .4.7b9
 .5.0