Allow only safe syntax in c.expand_path_expression #3260

edreamleo · 2023-04-07T21:40:11Z

See PR #3264.

Path expressions are desirable, but they must be made completely safe. Leo' present path expressions (c.expand_path_expression) are serious security violations that virus scanners will never find.

Aha: c.expand_path_expression need only use Python's existing os.path capabilities. os.path.expandvars does more than Leo's legacy path expression!
Bye-bye {{ and }}!

The text was updated successfully, but these errors were encountered:

boltex · 2023-04-08T01:31:55Z

it's already implemented in leojs.

can you elaborate as to why it would be a security concern?

edreamleo · 2023-04-09T13:44:36Z

Closed via PR #3264.

edreamleo added Enhancement Code Re Leo's code labels Apr 7, 2023

edreamleo added this to the 6.7.3 milestone Apr 7, 2023

edreamleo self-assigned this Apr 7, 2023

edreamleo changed the title ~~Don't use c.expand_path_expression~~ Allow only safe syntax in c.expand_path_expression Apr 8, 2023

edreamleo mentioned this issue Apr 8, 2023

PR for #3260: safe path expressions #3264

Merged

3 tasks

edreamleo closed this as completed Apr 9, 2023

This was referenced Apr 9, 2023

Deprecate c.getBaseDirectory #3266

Closed

PR for #3266: simplify path handling further #3267

Merged

PR: Cleanups of g.os_path wrappers and related methods. #3273

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow only safe syntax in c.expand_path_expression #3260

Allow only safe syntax in c.expand_path_expression #3260

edreamleo commented Apr 7, 2023 •

edited

boltex commented Apr 8, 2023

edreamleo commented Apr 9, 2023

Allow only safe syntax in c.expand_path_expression #3260

Allow only safe syntax in c.expand_path_expression #3260

Comments

edreamleo commented Apr 7, 2023 • edited

boltex commented Apr 8, 2023

edreamleo commented Apr 9, 2023

edreamleo commented Apr 7, 2023 •

edited