Consider the following use case:
PREFIX = '/home/user/files/' full_path = os.path.join(PREFIX, filepath) read(full_path, 'rb') ...
filepath is user-controlled, a malicious user user might attempt a directory traversal (like setting
../../../etc/passwd). How can we make sure that filepath cannot traverse “above” our prefix? There are of course numerous solutions to sanitizing input against directory traversalthat. The easiest way (that I came up with) to do so in python is:
filepath = os.normpath('/' + filepath).lstrip('/')
It works because it turns the path into an absolute path, normalizes it and makes it relative again. As one cannot traverse above
/, it effectively ensures that the
filepath cannot go outside of
Post updated: see the comments below for explanation of the changes.