Is using os.path.abspath to verify the reliable location of an untrusted file name?

Question

Is using os.path.abspath to verify the reliable location of an untrusted file name?

I do not think that I have something missing. Again, I'm kind of a beginner.

def GET(self, filename):
    name = urllib.unquote(filename)
    full = path.abspath(path.join(STATIC_PATH, filename))
    #Make sure request is not tricksy and tries to get out of
    #the directory, e.g. filename = "../.ssh/id_rsa". GET OUTTA HERE
    assert full[:len(STATIC_PATH)] == STATIC_PATH, "bad path"
    return open(full).read()

Edit: I understand that this will return the wrong HTTP error code if the file does not exist (at least under web.py). I will fix this.

+3

python security

mcmt Apr 19 '10 at 0:25

source share

3 answers

, - . - -, .

, , , , - , , . , ssh SSH . , su -ing.

+1

Jason Baker 19 . '10 1:12

Make sure that either STATIC_PATHends with the directory separator, or the character that follows it in fullis.

0

Ignacio Vazquez-Abrams Apr 19 '10 at 0:57

source share

Alex Martelli · Accepted Answer · 2010-04-19T00:59:28+0000

os.path.abspath, , . assert , python -O, . STATIC_PATH , , - , STATIC_PATH /foo/bar, , /foo/barbie/ (, STATIC_PATH , ).

Is using os.path.abspath to verify the reliable location of an untrusted file name?

More articles: