device names

Werkzeug’s safe_join() has a new Windows‑specific wrinkle: a recently assigned CVE shows the function can still resolve paths that end with legacy Windows device names when those names are embedded inside multi‑segment paths, allowing a remote request handled by send_from_directory() to open a...