Currently there is no warning in the python doc that using open() on user or other controlled filenames is dangerous. I think that a warning should be in the documentation to say that if you are using open() and you do not have a set file parameter (hard-coded) then you *SHOULD* check the filename will not escape or point to places that are not desired. Personally I feel that python should have an open() argument to say "do not go out side FOO directory".