160
161def write_file(file, data):
162 """simple write to file"""
163 fp = open(file, 'w')164 fp.write(str(data, 'utf-8'))
165 fp.close()
166
129 return self.data
130
131 def save(self, path):
132 f = open(path, 'w')133 f.write(str(self.data, 'utf-8'))
134 f.close()
135
95 def __init__(self, file_path, filename):
96 self.file_path = file_path
97 self.filename = filename
98 self.file = open(file_path, 'rb') 99
100 def __len__(self):
101 position = self.file.tell()
Python's open()
function can take in a relative or absolute path and read its file contents.
If a user is provided direct access to the path that is opened, it can have serious security risks.
def read_file(path):
with open(os.path.join('some/path', path)) as f:
f.read()
# Someone can exploit `read_file` and see your secrets this way:
read_file('../../../secrets.txt')
Either use a static path:
def read_file(path):
with open('some/path/to/file.txt') as f:
f.read()
Or, do some kind of validation to make sure you're not allowing arbitrary file access:
def read_file(filename):
if filename not in ('x.txt', 'y.txt'):
return 'Invalid filename'
with open(os.path.join('some/path', path)) as f:
f.read()