0

https://security.openstack.org/guidelines/dg_using-file-paths.html

如果我尝试从上面的链接运行给定的代码:

import os

def is_safe_path(basedir, path, follow_symlinks=True):
    # resolves symbolic links
    if follow_symlinks:
         matchpath = os.path.realpath(path).startswith(basedir)
    else:
         matchpath = os.path.abspath(path).startswith(basedir)
    return basedir == os.path.commonpath((basedir, matchpath))

is_safe_path('/test', '/test/../abc')

它显然不起作用:

$ python
Python 3.8.8 (default, Mar  4 2021, 21:24:42)
[GCC 10.2.0] on cygwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>>
>>> def is_safe_path(basedir, path, follow_symlinks=True):
...     # resolves symbolic links
...     if follow_symlinks:
...          matchpath = os.path.realpath(path).startswith(basedir)
...     else:
...          matchpath = os.path.abspath(path).startswith(basedir)
...     return basedir == os.path.commonpath((basedir, matchpath))
...
>>> is_safe_path('/test', '/test/../abc')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<stdin>", line 7, in is_safe_path
  File "/usr/lib/python3.8/posixpath.py", line 496, in commonpath
    paths = tuple(map(os.fspath, paths))
TypeError: expected str, bytes or os.PathLike object, not bool

这里有什么虚假代码?是否应该.startswith()删除?我是否完全误解了在元组中使用布尔值的目的是什么?

我找到了更改的编辑:

https://bugs.launchpad.net/ossa/+bug/1815422 https://review.opendev.org/c/openstack/ossa/+/771854/

4

1 回答 1

1

这是代码中的拼写错误,.startswith(basedir)并不意味着遵循realpathor abspath。老实说,很可能是复制和粘贴问题。我强烈建议您提交该问题的修复程序!

于 2021-06-20T23:41:49.427 回答