Comments on: Warning: os.path.join surprising behaviour

By: Chui

Chui — Tue, 19 Jun 2007 23:04:35 +0000

Fuzzyman,

You are right that it’s documented. It doesn’t stop the behavior from being surprising.

About stripping leading “/”, you also need to strip the drive name on Windows platforms.

A better guard is to assert that the joined path is a subdirectory of the base.

e.g. newpath = os.path.join(base, subpath) assert newpath.find(base) == 0
Perhaps it should be annotated as being unsafe on web platforms.

Chui

By: Dan

Dan — Tue, 19 Jun 2007 13:59:47 +0000

It surprises me. But os.path.join is inherently unsafe: ‘../../../d/e/f’ would have the same effect as ‘/d/e/f’ here. Don’t let untrusted sources supply paths!

By: dtlin

dtlin — Tue, 19 Jun 2007 13:58:10 +0000

>>> os.path.join(”/a/b/c”, *”/d/e/f”.split(’/'))
‘/a/b/c/d/e/f’

It is a bit surprising.

By: Fuzzyman

Fuzzyman — Tue, 19 Jun 2007 11:44:38 +0000

Oh - and you can stop it by detecting/removing the leading “/”.

By: Fuzzyman

Fuzzyman — Tue, 19 Jun 2007 11:43:51 +0000

How is that surprising? It is the documented behaviour, and usually desirable. The second path in your example is rooted.

By: afoo

afoo — Tue, 19 Jun 2007 11:26:51 +0000

Ah, nevermind, there already are http://sourceforge.net/tracker/index.php?func=detail&aid=1209447&group_id=5470&atid=105470 and http://sourceforge.net/tracker/index.php?func=detail&aid=1688564&group_id=5470&atid=105470

By: afoo

afoo — Tue, 19 Jun 2007 11:21:53 +0000

Hm IMHO, this is a bug and should be reported. What do you think?