r0g wrote:

Yep, I spotted that too which is why white-listing is my fallback plan.
My question is really about the security of using unfiltered data in a
filesystem function though. Are there particualar exploits that could
make use of such unfiltered calls?

The classic one would be submitting a filename such as 'a'*1000, but current OSes should be immune from that sort of thing by now.


 For example I'd imagine jailbreaking
might be a concern if the app isn't run under it's own restricted user
account. Do others here consider this when designing applications and
what techniques/modules, if any, do you use to sanitize path/filename input?

--
http://mail.python.org/mailman/listinfo/python-list

Reply via email to