Python - safest way to handle user input
- Thread starter RTGHM
- Start date
We need more information on your use case because generally this isn't an issue as code is normally run on your own server or access given to trusted people.
EDIT: http://stackoverflow.com/questions/7406102/create-sane-safe-filename-from-any-unsafe-string
I think that's what you're looking for.
EDIT: http://stackoverflow.com/questions/7406102/create-sane-safe-filename-from-any-unsafe-string
I think that's what you're looking for.
Last edited by a moderator:
The right way to do it is to define what you allow, rather than to define what you don't. Anything that doesn't match what's allowed is rejected.
For example,
I couldn't find anywhere where python defines a domain name type object you could use - but perhaps there is a module out there.
For example,
- only letters/numbers/internal hyphen,
- a single period with a minimum number of letters before/after
- Length of chars before and after the period should be sane (I don't know what the actual length limit for a domain is - I'm sure it's in an RFC).
- etc.
I couldn't find anywhere where python defines a domain name type object you could use - but perhaps there is a module out there.
SentinelTower
New Member
I agree with raindog308.
Validate the input with a restrictive regex and you should be good to go.
Validate the input with a restrictive regex and you should be good to go.
Well, it accepts input from a web form on the python script, then it creates a directory for the user-supplied input.
So therefore I want to ensure it stays safe. I was going to do a regex just to accept A-Z 0-9 and a period.
Would that be safe enough?
A period? That doesn't sound good since someone can try to make a directory "." or "..", although it probably won't be an issue. Anyway you should be fine just with os.path.basename to make sure it's a single name, and os.path.exists to make sure dirctory doesn't exist yet.