[issue46124] Deprecation warning in zoneinfo module
Jason R. Coombs
report at bugs.python.org
Tue Dec 28 16:15:41 EST 2021
Jason R. Coombs <jaraco at jaraco.com> added the comment:
> Does `joinpath` have less validation?
Yes. Previously, resources.* would perform some validation on the path to ensure that it didn't contain path separators (to avoid users attempting to get resources in subdirectories or perhaps manipulating the path in other ways).
So no, they're not equivalent. If `resource_name` or "zones" ever contained path separators, the former implementation would raise an error whereas this implementation would attempt to join those characters to the path. Since "zones" is a static string, it's clearly not affected. And `resource_name` can't have posixpath.sep. If `key` had an ntpath.sep, that might behave differently, but that seemed like an edge case not worth exploring.
If it is worth exploring, I would recommend not to use normalize_path, but instead to implement the validation in zoneinfo._common. That is, wrap key in `_validate_key()` that protects against invalid paths. But in practice, it's better to do that closer to where the unsanitized data would be encountered (if at all).
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue46124>
_______________________________________
More information about the Python-bugs-list
mailing list