On 29 March 2016 at 11:24, Koos Zevenhoven k7hoven@gmail.com wrote:
As we all know, togo is user input containing ../../../../../../../../../../../../../../../etc/passwd
How about
p'/' /wherever/youwant//togoThat is, the floordiv operator could be used to prevent 'togo' from going up the directory tree with "../../" or "/etc/passwd". The // would thus restrict the user (who provides `togo`) into /wherever/youwant/ and it its subdirectories.
There have been a number of previous threads about the security of path objects (and for that matter of os.path) and "sandboxing" paths to disallow traversing "up" out of a particular directory.
I've no idea whether the floordiv operator would work for this purpose (I'm not a security expert, and most of my personal applications can afford to take a very lax view of such things, luckily) but it's an interesting idea. Potentially, it's a bit easy to miss, which may be a problem.
Paul