os.path.abspath returns invalid path (resolves symbolic link)

[rvisser]

BPO	43810
Nosy	@eryksun

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2021-04-12.05:40:06.953>
created_at = <Date 2021-04-12.05:24:45.668>
labels = ['3.8', 'invalid', 'type-bug', '3.7', 'expert-IO']
title = 'os.path.abspath returns invalid path (resolves symbolic link)'
updated_at = <Date 2021-04-13.23:21:20.342>
user = 'https://bugs.python.org/rvisser'

bugs.python.org fields:

activity = <Date 2021-04-13.23:21:20.342>
actor = 'eryksun'
assignee = 'none'
closed = True
closed_date = <Date 2021-04-12.05:40:06.953>
closer = 'eryksun'
components = ['IO']
creation = <Date 2021-04-12.05:24:45.668>
creator = 'rvisser'
dependencies = []
files = []
hgrepos = []
issue_num = 43810
keywords = []
message_count = 4.0
messages = ['390818', '390820', '390982', '391012']
nosy_count = 2.0
nosy_names = ['eryksun', 'rvisser']
pr_nums = []
priority = 'normal'
resolution = 'not a bug'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue43810'
versions = ['Python 3.7', 'Python 3.8']

[rvisser]

According to the python documentation os.path.abspath() does *not* resolve symbolic links. This however does not always seem to be true causing an invalid path return by abspath. This could potentially be exploited to crash python applications.

Example for bug reproduction on a linux terminal:

1. create a sub-directory "bug_abspath"
2. enter the sub-dir "bug_abspath"
3. create a symbolic link "local_link" onto the current dir using: "ln -s . local_link"
4. open python session and import os and enter the following:
5. path_correct = os.path.abspath('./../bug_abspath') # returns correct path
6. path_invalid = os.path.abspath('local_link/../bug_abspath') # returns invalid path with wrongly resolved "local_link"

From step 5 the correct/valid path is returned, from step 6 abspath returns an invalid path that is non-existing (contains non-existing "bug_abspath/bug_abspath" string.
I consider this behavior incorrect and interpret it as a bug in the abspath routine which is not allowed to resolve the symbolic link "local_link".
(Note os.path.realpath works as expected but is unwanted by me).

Tested on
OS: linux ubuntu 20.04, CentOS 7.8
PY: python 3.7 and 3.8

Thanks for any help, best wishes, Rene

[eryksun]

In POSIX, os.path.abspath(p) is normpath(join(os.getcwd(), p)). normpath() doesn't touch the filesystem, and it's documented that its "string manipulation may change the meaning of a path that contains symbolic links". You can use os.path.realpath() to resolve symbolic links in a path.

[rvisser]

Thanks Eryk for your fast response. Apparently I somehow skipped the remark
about symbolic links in combination with abspath. Thank you for pointing
this out and apologies for wasting some of your time!!
Best wishes, Rene Visser

On Mon, Apr 12, 2021 at 7:40 AM Eryk Sun <report@bugs.python.org> wrote:

Eryk Sun <eryksun@gmail.com> added the comment:

In POSIX, os.path.abspath(p) is normpath(join(os.getcwd(), p)). normpath()
doesn't touch the filesystem, and it's documented that its "string
manipulation may change the meaning of a path that contains symbolic
links". You can use os.path.realpath() to resolve symbolic links in a path.

----------
nosy: +eryksun
resolution: -> not a bug
stage: -> resolved
status: open -> closed

---

Python tracker <report@bugs.python.org>
<https://bugs.python.org/issue43810\>

---

--

-------------------------------------------------------

René Visser
Stuttgart, Germany
email: renevisser@gmail.com

-------------------------------------------------------

[eryksun]

If realpath() resolves too much, you'll have to resolve manually via os.path.islink() and os.readlink(). If you need strict resolution, use pathlib.Path.resolve(). In strict mode it raises FileNotFoundError if a path component doesn't exist. Also, even in non-strict mode, it raises RuntimeError for a symlink loop.