python – Simple web file browser with Flask

I have created a simple web file browser with Flask. It also shows some metadata of a file. I have some questions regarding security though. An attacker can exit the predefined root directory? Is there a way to make my code more readable and / or more effective? I would love to have feedback to improve my program! 🙂

app.py:

from flask import Flask, render_template
bone import
stat of import

app = Bottle (__ name__)

# Make the WSGI interface available at the top level for wfastcgi to get it.
wsgi_app = app.wsgi_app

FILE_SYSTEM_ROOT = "D:  Test123"

@ app.route (& # 39;)
def index ():
return render_template (& index; html & nbsp;)

@ app.route (& # 39; / browser & # 39;)
def browse ():
itemList = os.listdir (FILE_SYSTEM_ROOT)
return render_template (& # 39; browse.html & # 39 ;, itemList = itemList)

@ app.route (& # 39; / browser /& # 39;)
Def Browser (urlFilePath):
nestedFilePath = os.path.join (FILE_SYSTEM_ROOT, urlFilePath)
if os.path.isdir (nestedFilePath):
itemList = os.listdir (nestedFilePath)
fileProperties = {"file path": nestedFilePath}
otherwise urlFilePath.startswith ("/"):
urlFilePath = "/" + urlFilePath
return render_template (& # 39; browse.html & # 39 ;, urlFilePath = urlFilePath, itemList = itemList)
if os.path.isfile (nestedFilePath):
fileProperties = {"file path": nestedFilePath}
sbuf = os.fstat (os.open (nestedFilePath, os.O_RDONLY)) #Open the file and get metadata
fichierPropriétés['type'] = stat.S_IFMT (sbuf.st_mode)
fichierPropriétés['mode'] = stat.S_IMODE (sbuf.st_mode)
fichierPropriétés['mtime'] = sbuf.st_mtime
fichierPropriétés['size'] = sbuf.st_size
otherwise urlFilePath.startswith ("/"):
urlFilePath = "/" + urlFilePath
return render_template (& # 39; file.html & # 39 ;, currentFile = nestedFilePath, fileProperties = fileProperties)
return "something wrong happened" & # 39;

if __name__ == __ hand __:
app.run (host = 0.0.0.0, port = 80)

browse.html:





    
    


    


file.html:





    
    


    

Current file: {{currentFile}}

{% for key, value in fileProperties.items ()%} {% endfor%}
{{key}} {{ value }}

The output when browsing looks like this:
browse.html example

The output with the metadata of a file looks like this:
example file.html