Is using os.path.abspath to validate an untrusted filename's location secure?

Posted by mcmt on Stack Overflow See other posts from Stack Overflow or by mcmt
Published on 2010-04-19T00:25:46Z Indexed on 2010/04/19 0:53 UTC
Read the original article Hit count: 292

Filed under:
|
|

I don't think I'm missing anything. Then again I'm kind of a newbie.

def GET(self, filename):
    name = urllib.unquote(filename)
    full = path.abspath(path.join(STATIC_PATH, filename))
    #Make sure request is not tricksy and tries to get out of
    #the directory, e.g. filename = "../.ssh/id_rsa". GET OUTTA HERE
    assert full[:len(STATIC_PATH)] == STATIC_PATH, "bad path"
    return open(full).read()

Edit: I realize this will return the wrong HTTP error code if the file doesn't exist (at least under web.py). I will fix this.

© Stack Overflow or respective owner

Related posts about python

Related posts about web