[Python-ideas] Working with Path objects: p-strings?
Paul Moore
p.f.moore at gmail.com
Tue Mar 29 06:41:07 EDT 2016
On 29 March 2016 at 11:24, Koos Zevenhoven <k7hoven at gmail.com> wrote:
>> As we all know, togo is user input containing
>> ../../../../../../../../../../../../../../../etc/passwd
>>
>
> How about
>
> p'/' /wherever/youwant//togo
>
> That is, the floordiv operator could be used to prevent 'togo' from going up
> the directory tree with "../../" or "/etc/passwd". The // would thus
> restrict the user (who provides `togo`) into /wherever/youwant/ and it its
> subdirectories.
There have been a number of previous threads about the security of
path objects (and for that matter of os.path) and "sandboxing" paths
to disallow traversing "up" out of a particular directory.
I've no idea whether the floordiv operator would work for this purpose
(I'm not a security expert, and most of my personal applications can
afford to take a very lax view of such things, luckily) but it's an
interesting idea. Potentially, it's a bit easy to miss, which may be a
problem.
Paul
More information about the Python-ideas
mailing list