Orchard Project Exposes Critical Path Traversal Flaw in File Download Endpoint

A direct path traversal vulnerability in the Orchard project's file download endpoint allows attackers to read arbitrary files from the server's filesystem. The flaw is located in the `download_file()` function within `app/orchard/controllers.py`, which takes a user-supplied filename parameter and passes it directly to Flask's `send_from_directory()` helper without any sanitization. This enables malicious actors to use sequences like `../../etc/passwd` to escape the intended directory and access sensitive system files.

The vulnerability is a textbook case of insufficient input validation. The code snippet shows the function retrieves the `filename` argument directly from the request and uses it to construct a file path. Because no checks are performed to prevent directory traversal, an attacker can manipulate the `filename` parameter to navigate to any location accessible by the server process. This exposes configuration files, environment variables, source code, and other critical data, posing a severe security risk to any deployment of the affected code.

This flaw represents a significant information disclosure threat. The ease of exploitation and the potential access to sensitive server-side data make it a high-priority issue for developers and security teams using or reviewing the Orchard codebase. Immediate remediation requires implementing strict input validation, such as using a secure basename function or an allowlist of permitted files, before the filename is passed to the file-serving mechanism.