Hi,

Currently (python 3.10.6 & 3.11.0):

frompathlibimportPathp=Path('/var/log/../../opt')p.is_relative_to('/var/log')>>>Truep=p.resolve()p.is_relative_to('/var/log')>>>False

Once you knowis_relative_to usesrelative_to, this makes more sense but it's not obvious from the documentation and the examples given. Also it can easily lead to code that looks secure but isn't. Case in point, I was tasked with reviewing this code today (simplified for illustration purposes):

path=Path(ROOT_PATH,user_input_rel_path)ifpath.is_relative_to(ROOT_PATH):path.unlink()else:raisePermissionError('Nope!')

I was unsure if I should open a bug or not because one could easily argue it isn't a bug. I do believe however that a warning in the documentation could save a few devs from making a mistake.

Linked PRs

• GH-99334: Explain thatPurePath.is_relative_to() is purely lexical. #114031
• [3.12] GH-99334: Explain thatPurePath.is_relative_to() is purely lexical. (GH-114031) #114460
• [3.11] GH-99334: Explain thatPurePath.is_relative_to() is purely lexical. (GH-114031). #114461