Correct is_safe_path example in guidelines

A previous rework of the directory traversal mitigation example in I3f8d3760daceb9e62396ae21b0d915ae07eff303 was not correctly cleaned up, and left some unintended startswith method invocations behind. Get rid of those, and also correct a wrong parameter name in the main function while we're at it, as well as fixing some incorrect indentation. Change-Id: Ie5347f3b6cc8e689440db0aaf552d52ad37c231c Closes-Bug: #1928544
2021-07-02 17:12:59 +00:00 · 2021-07-02 17:12:59 +00:00 · b05ba12445
parent 5820a97832
commit b05ba12445
1 changed files with 3 additions and 3 deletions
--- a/doc/source/guidelines/dg_using-file-paths.rst
+++ b/doc/source/guidelines/dg_using-file-paths.rst
@ -81,15 +81,15 @@ defeat path traversal.
    def is_safe_path(basedir, path, follow_symlinks=True):
        # resolves symbolic links
        if follow_symlinks:
-             matchpath = os.path.realpath(path).startswith(basedir)
+            matchpath = os.path.realpath(path)
        else:
-             matchpath = os.path.abspath(path).startswith(basedir)
+            matchpath = os.path.abspath(path)
        return basedir == os.path.commonpath((basedir, matchpath))


    def main(args):
        for arg in args:
-            if is_safe_path(os.getcwd(), path):
+            if is_safe_path(os.getcwd(), arg):
                print("safe: {}".format(arg))
            else:
                print("unsafe: {}".format(arg))