Seth LarsonFeb 27

Deprecate confusing APIs like “os.path.commonprefix()”. After fixing a vulnerability in #pip, I started digging into the confusing API and found more than I expected.

👉 https://sethmlarson.dev/deprecate-confusing-apis-like-os-path-commonprefix

#python #oss #opensource #security

Deprecate confusing APIs like “os.path.commonprefix()”

The os.path.commonprefix() function has been an API in the Python standard library for at least 35 years (since February 1991) and in that time has been confusing users and creating security issues...

sethmlarson.dev
Show threadKunal Mehta

@sethmlarson wow, this is great. TIL about that SecureDrop bug, it long predates my time being on the team but still appreciated.

My only wish is that Python (and every other language) shipped proper path traversal resistant APIs, a la https://go.dev/blog/osroot

Traversal-resistant file APIs - The Go Programming Language

New file access APIs in Go 1.24.

Mar 3 at 8:21pmWeb