Stephen J. Turnbull wrote:
> Steve Jorgensen writes:
> > I'm thinking of this specifically in terms of
> > sanitizing input,
> > assuming that later usage of the value might or might not properly
> > protect against potential vulnerabilities. This is also limited to
> > the case where the value is supposed to be a single path referring
> > to an entry within a single directory context.
> > This sounds extremely specialized to me.  For example, presumably
> you're not referring to dotted module specifications in Python, but
> those usually do map to filesystem paths in implementations, and I can
> imagine vulnerabilities (the one on top of my head requires a fair
> amount of Python ignorance and environmental serendipity, which sort
> of proves my point about situation-specificity) using Python module
> paths as mapped to filesystem paths.
> ISTM that it might be useful to provide a toolbox for scanning paths
> with various validation operations, but that it's really up to
> applications to decide which operations to use and what parameters
> (eg, evil code point set, bytes vs code points vs code units vs
> characters), and so on.  PyPI seems ideal for that, until it matures
> more than a discussion on the mailing lists can provide.
> Steve (T)

…so maybe it makes sense to have only the more specific sanitization in the 
standard library, then. In the POSIX case, I think that means just blocking "/" 
characters and "." or ".." values.
_______________________________________________
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at 
https://mail.python.org/archives/list/python-ideas@python.org/message/EVSXG4ZPE5OXNV3NCHPIU5YKAJRMM3NF/
Code of Conduct: http://python.org/psf/codeofconduct/

Reply via email to