一个小挑战（For Windows）：这个代码中可能存在什么漏洞

app.py

import os
import posixpath
from werkzeug.utils import secure_filename
from flask import Flask, redirect, url_for, abort, request, send_file
app = Flask(__name__)
app.config['UPLOAD_FOLDER'] = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'upload')


def allowed_file(filename):
    return '.' in filename and \
           filename.rsplit('.', 1)[1].lower() in ('txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif')


@app.route('/', methods=['GET', 'POST'])
def upload_file():
    if request.method == 'POST':
        if 'file' not in request.files:
            raise abort(403)
        file = request.files['file']
        if file.filename == '':
            raise abort(403)
        if file and allowed_file(file.filename):
            filename = secure_filename(file.filename)
            file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
            return redirect(url_for('download',
                                    filename=filename))
    return '''
    <!doctype html>
    <title>Upload new File</title>
    <h1>Upload new File</h1>
    <form method=post enctype=multipart/form-data>
      <p><input type=file name=file>
         <input type=submit value=Upload>
    </form>
    '''


@app.route("/upload/<path:filename>")
def download(filename):
    filename = filename.replace('\\', '/')
    for sep in filename.split('/'):
        if sep in ('..', '.'):
            raise abort(403)

    if os.path.isabs(filename):
        raise abort(403)

    filename = os.path.join(app.config['UPLOAD_FOLDER'], filename)
    if not posixpath.normpath(filename).startswith(app.config['UPLOAD_FOLDER'] + os.sep):
        raise abort(403)
    try:
        return send_file(filename)
    except FileNotFoundError:
        raise abort(404)


if __name__ == '__main__':
    if not os.path.exists(app.config['UPLOAD_FOLDER']):
        os.makedirs(app.config['UPLOAD_FOLDER'], 0o755)
    app.run(debug=False)

答案：
https://t.zsxq.com/VNFYnqb

能公开下writeup嘛？学习下