r0g wrote:
Yep, I spotted that too which is why white-listing is my fallback plan. My question is really about the security of using unfiltered data in a filesystem function though. Are there particualar exploits that could make use of such unfiltered calls?
The classic one would be submitting a filename such as 'a'*1000, but current OSes should be immune from that sort of thing by now.
For example I'd imagine jailbreaking
might be a concern if the app isn't run under it's own restricted user account. Do others here consider this when designing applications and what techniques/modules, if any, do you use to sanitize path/filename input?
-- http://mail.python.org/mailman/listinfo/python-list