Lukas Atkinson4d ago
Seth Larson

Deprecate confusing APIs like “os.path.commonprefix()”. After fixing a vulnerability in #pip, I started digging into the confusing API and found more than I expected.

👉 https://sethmlarson.dev/deprecate-confusing-apis-like-os-path-commonprefix

#python #oss #opensource #security

Deprecate confusing APIs like “os.path.commonprefix()”

The os.path.commonprefix() function has been an API in the Python standard library for at least 35 years (since February 1991) and in that time has been confusing users and creating security issues...

sethmlarson.dev
Feb 27 at 4:55pmWeb
Show threadSeth LarsonFeb 27

@nedbat 💜 Thank you for writing about this API years ago, it made a difference!

https://nedbatchelder.com/blog/201003/whats_the_point_of_ospathcommonprefix

What’s the point of os.path.commonprefix?

Most of the Python standard library is great, providing functions and classes that do their jobs well, often even before you knew you needed the job done (urlsafe_b64encode FTW!)

Show threadKunal MehtaMar 3

@sethmlarson wow, this is great. TIL about that SecureDrop bug, it long predates my time being on the team but still appreciated.

My only wish is that Python (and every other language) shipped proper path traversal resistant APIs, a la https://go.dev/blog/osroot

Traversal-resistant file APIs - The Go Programming Language

New file access APIs in Go 1.24.