Stephen J. Turnbull wrote: > Steve Jorgensen writes: > > I'm thinking of this specifically in terms of > > sanitizing input, > > assuming that later usage of the value might or might not properly > > protect against potential vulnerabilities. This is also limited to > > the case where the value is supposed to be a single path referring > > to an entry within a single directory context. > > This sounds extremely specialized to me. For example, presumably > you're not referring to dotted module specifications in Python, but > those usually do map to filesystem paths in implementations, and I can > imagine vulnerabilities (the one on top of my head requires a fair > amount of Python ignorance and environmental serendipity, which sort > of proves my point about situation-specificity) using Python module > paths as mapped to filesystem paths. > ISTM that it might be useful to provide a toolbox for scanning paths > with various validation operations, but that it's really up to > applications to decide which operations to use and what parameters > (eg, evil code point set, bytes vs code points vs code units vs > characters), and so on. PyPI seems ideal for that, until it matures > more than a discussion on the mailing lists can provide. > Steve (T)
…so maybe it makes sense to have only the more specific sanitization in the standard library, then. In the POSIX case, I think that means just blocking "/" characters and "." or ".." values. _______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/EVSXG4ZPE5OXNV3NCHPIU5YKAJRMM3NF/ Code of Conduct: http://python.org/psf/codeofconduct/