Just another Red Mountain Software Sites site
>>> os.path.join("/a/b/c", "/d/e/f")
"/d/e/f"
This can be a problem if “/d/e/f” comes from an untrusted source.
As a safety measure, avoid using os.path.join in your web applications, roll your own and call it “safe_join”. You will sleep better.
You’re currently reading “ Warning: os.path.join surprising behaviour ,” an entry on Chui's Counterpoint
Hm IMHO, this is a bug and should be reported. What do you think?
How is that surprising? It is the documented behaviour, and usually desirable. The second path in your example is rooted.
Oh – and you can stop it by detecting/removing the leading “/”.
>>> os.path.join(“/a/b/c”, *”/d/e/f”.split(‘/’))
‘/a/b/c/d/e/f’
It is a bit surprising.
It surprises me. But os.path.join is inherently unsafe: ‘../../../d/e/f’ would have the same effect as ‘/d/e/f’ here. Don’t let untrusted sources supply paths!
Fuzzyman,
You are right that it’s documented. It doesn’t stop the behavior from being surprising.
About stripping leading “/”, you also need to strip the drive name on Windows platforms.
A better guard is to assert that the joined path is a subdirectory of the base.
e.g.
newpath = os.path.join(base, subpath)
assert newpath.find(base) == 0
Perhaps it should be annotated as being unsafe on web platforms.
Chui
XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
7 Comments
Jump to comment form | comments rss [?] | trackback uri [?]