[Zope] Creating files on server

[Thomas B. Passin]

Yes, it's a good idea to ALWAYS compute your file names instead of letting a
user pass in a name (and perhaps a path) that you just accept.  Either strip
down to the filename and generate your own path, or generate the complete
path and name yourself.

Cheers,

Tom P

Tino Wildenhain wrote -

> ...
> Dont use + to concenat pathname parts. Use os.path.join() instead.
> Try os.path.split(os.path.normpath(os.path.join(part,of,your,pathname)))
> to see the result of the concenation and if its still in the directory
> you want it to be. (someone could feed '../../name' into your script)
>