On Sun, Jun 27, 2021 at 09:55:34PM -0400, Wes Turner wrote:
"[Python-ideas] Sanitize filename (path part) 2nd try" https://mail.python.org/archives/list/python-ideas@python.org/thread/LRIKMG3...
"[Python-ideas] Sanitize filename (path part)" https://mail.python.org/archives/list/python-ideas@python.org/thread/SQH4LPE...
```quote What does sanitizepart do with a leading slash?
assert os.path.join("a", "/b") == "/b"
A new safejoin() or joinsafe() or join(safe='True') could call sanitizepart() such that:
assert joinsafe("a\n", "/b") == "a\n/b" ```
Thanks for the links. "sanitizepart()" seems to be about *constructing* a safe filename. It's a different problem and there's a thousand ways to do it. I think the idea with joinsafe() is similar to my idea... But I think the req to disallow '..' is crucial. If we set the requirements as: 1. the resulting path must not be above the lhs arg 2. the operation must be done without actually accessing the fs right now I see the proposed operation that rejects '..' as the best approach. Zbyszek