Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork34k
gh-74453: Add stronger security warning to os.path.commonprefix#144401
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Conversation
Uh oh!
There was an error while loading.Please reload this page.
StanFromIreland left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
LGTM
Doc/library/os.path.rst Outdated
| (``''``). | ||
| ..note:: | ||
| ..danger:: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
We do not often use "danger" but rather prefer using warning (I believe we have something about it in the devguide)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Thanks! I've updated towarning instead ofdanger.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I believe we have something about it in the devguide
Out of curiosity, which section? I was unable to find any on these.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Yes here. It is just so that we do not have a proliferation of different boxes (while Sphinx and docutils provide lots of boxes we tend to only use a few of them). In addition other security warnings were usually indicated through a warning.
Though if we actually use danger/important instead of warning, feel free to revert my suggestion (from what I remember we mostly used warning)
Uh oh!
There was an error while loading.Please reload this page.
The first part of closing#74453, this documentation update I believe is less controversial than a deprecation. I'm recommending backporting this warning, as all Python versions supported today have
commonpath().The mix-up that
commonprefixis acceptable for generating a path prefix (versus a string prefix) occurred at least once in a critical packaging tool:https://www.cve.org/CVERecord?id=CVE-2026-1703 Given its usage (40K+ hits on GitHub) I suspect this is not the only occurrence.📚 Documentation preview 📚:https://cpython-previews--144401.org.readthedocs.build/