On Sun, Jun 27, 2021 at 09:55:34PM -0400, Wes Turner wrote: > "[Python-ideas] Sanitize filename (path part) 2nd try" > https://mail.python.org/archives/list/python-ideas@python.org/thread/LRIKMG3G4I4YQNK6BTU7MICHT7X67MEF/ > > "[Python-ideas] Sanitize filename (path part)" > https://mail.python.org/archives/list/python-ideas@python.org/thread/SQH4LPERFLKBLXPDUOVJMV24JBCBUCYO/ > > ```quote > What does sanitizepart do with a leading slash? > > assert os.path.join("a", "/b") == "/b" > > A new safejoin() or joinsafe() or join(safe='True') could call > sanitizepart() such that: > > assert joinsafe("a\n", "/b") == "a\n/b" > ```
Thanks for the links. "sanitizepart()" seems to be about *constructing* a safe filename. It's a different problem and there's a thousand ways to do it. I think the idea with joinsafe() is similar to my idea... But I think the req to disallow '..' is crucial. If we set the requirements as: 1. the resulting path must not be above the lhs arg 2. the operation must be done without actually accessing the fs right now I see the proposed operation that rejects '..' as the best approach. Zbyszek _______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/23YRQ43XG4ZQFICIH3S75UD5HLMWU76H/ Code of Conduct: http://python.org/psf/codeofconduct/
