I'm trying to check if a given user-supplied string is a simple file/folder name. I plan on using os.path.join() to concatenate this name to a preset root directory, but I want to detect and prohibit paths that try to traverse anywhere outside of that root directory.
For example, a string with the value 'track001.mp3' would be fine, it would resolve to 'root_dir/track001.mp3'. However, these should be detected and disallowed:
'../other_root_dir/'
'/etc'
'/'
'~'
'subdir/inner_file'
I would advise you to create the path string as you normally would assuming that the user is behaving (e.g. passing a "simple" or conforming path name). Then I'd use os.path.expandvars and os.path.normpath to get the actual path name. Finally, I'd check to make sure that the actual path name resides within the root directory. Something like:
from os.path import expandvars, normpath, join
ROOT_DIR = 'root_dir'
user_path = 'some_path'
test_path = normpath(expandvars(join(ROOT_DIR, user_path)))
expected_prefix = normpath(ROOT_DIR)
if not test_path.startswith(expected_prefix):
raise ValueError(f'Invalid path "{user_path}"') # python3.6 f-string.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 爷的心禁止访问 的文章《Is there a well-defined way to check if a path is 》','https://www.manongdao.com/article-946873.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}