[Tutor] I need help slicing.

[Danny Yoo]

> Yes. I thought about the os module. But all of the paths in the
> querystrings will be relative. For example:

No problem: there's a function in os.path called abspath() that will turn
relative urls into absolute ones, so that you can even deal with stuff
like '../../../etc/../etc/passwd':

###
>>> print os.path.abspath('../../etc/../etc/passwd')
/etc/passwd
###

If you do everything with absolute paths, that may simplify your problem.



> So my thought was either write the script to limit all filenames to
> files in this relative directory or to use splicing to verify the file
> extension. Does this sound like a secure enough method?

File extension doesn't sound too safe, but limiting access to a certain
directory sounds sorta ok.  Just make sure to use os.path.abspath(), to
pacify weird relative paths into absolute ones.


Hope this helps!