gh-74453: Add stronger security warning to os.path.commonprefix by sethmlarson · Pull Request #144401 · python/cpython

sethmlarson · 2026-02-02T17:49:00Z

The first part of closing #74453, this documentation update I believe is less controversial than a deprecation. I'm recommending backporting this warning, as all Python versions supported today have commonpath().

The mix-up that commonprefix is acceptable for generating a path prefix (versus a string prefix) occurred at least once in a critical packaging tool: https://www.cve.org/CVERecord?id=CVE-2026-1703 Given its usage (40K+ hits on GitHub) I suspect this is not the only occurrence.

Issue: Deprecate os.path.commonprefix #74453

📚 Documentation preview 📚: https://cpython-previews--144401.org.readthedocs.build/

Doc/library/os.path.rst

StanFromIreland

LGTM

picnixz · 2026-02-02T20:16:11Z

Doc/library/os.path.rst

   (``''``).

-   .. note::
+   .. danger::


We do not often use "danger" but rather prefer using warning (I believe we have something about it in the devguide)

Thanks! I've updated to warning instead of danger.

I believe we have something about it in the devguide

Out of curiosity, which section? I was unable to find any on these.

Maybe here? https://devguide.python.org/documentation/markup/#paragraph-level-markup

Yes here. It is just so that we do not have a proliferation of different boxes (while Sphinx and docutils provide lots of boxes we tend to only use a few of them). In addition other security warnings were usually indicated through a warning.

Though if we actually use danger/important instead of warning, feel free to revert my suggestion (from what I remember we mostly used warning)

vstinner

LGTM.

IMO we should still consider deprecating os.path.commonprefix() and add string.commonprefix() instead. But this doc change is a good start :-)

sethmlarson · 2026-02-03T14:05:21Z

@vstinner Thanks! I'm working on a PR that deprecates the function and moves it to string.commonprefix().

miss-islington-app · 2026-02-03T14:08:14Z

Thanks @sethmlarson for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

miss-islington-app · 2026-02-03T14:08:14Z

Thanks @sethmlarson for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

miss-islington-app · 2026-02-03T14:08:14Z

Thanks @sethmlarson for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

miss-islington-app · 2026-02-03T14:08:14Z

Thanks @sethmlarson for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

miss-islington-app · 2026-02-03T14:08:15Z

Thanks @sethmlarson for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.14.
🐍🍒⛏🤖

…pythonGH-144401) (cherry picked from commit 4e15b8d) Co-authored-by: Seth Michael Larson <[email protected]>

bedevere-app · 2026-02-03T14:08:28Z

GH-144426 is a backport of this pull request to the 3.10 branch.

bedevere-app · 2026-02-03T14:08:32Z

GH-144427 is a backport of this pull request to the 3.12 branch.

…pythonGH-144401) (cherry picked from commit 4e15b8d) Co-authored-by: Seth Michael Larson <[email protected]>

bedevere-app · 2026-02-03T14:08:38Z

GH-144428 is a backport of this pull request to the 3.11 branch.

bedevere-app · 2026-02-03T14:08:43Z

GH-144429 is a backport of this pull request to the 3.13 branch.

bedevere-app · 2026-02-03T14:08:47Z

GH-144430 is a backport of this pull request to the 3.14 branch.

…pythonGH-144401) (cherry picked from commit 4e15b8d) Co-authored-by: Seth Michael Larson <[email protected]>

gh-74453: Add stronger security warning to os.path.commonprefix (GH-144401) (cherry picked from commit 4e15b8d) Co-authored-by: Seth Michael Larson <[email protected]>

sethmlarson · 2026-02-03T15:50:11Z

I've created the follow-up PR which deprecates os.path.commonprefix: #144436

…pythonGH-144401)

Add stronger security warning to os.path.commonprefix

5704727

bedevere-app bot added the awaiting review label Feb 2, 2026

bedevere-app bot mentioned this pull request Feb 2, 2026

Deprecate os.path.commonprefix #74453

Open

bedevere-app bot added docs Documentation in the Doc dir skip news labels Feb 2, 2026

github-project-automation bot added this to Docs PRs Feb 2, 2026

github-project-automation bot moved this to Todo in Docs PRs Feb 2, 2026

sethmlarson added type-security A security issue stdlib Standard Library Python modules in the Lib/ directory skip news and removed awaiting review skip news labels Feb 2, 2026

StanFromIreland reviewed Feb 2, 2026

View reviewed changes

Doc/library/os.path.rst Show resolved Hide resolved

Remove duplicated recommendation to use commonpath().

fa43ff8

StanFromIreland approved these changes Feb 2, 2026

View reviewed changes

bedevere-app bot added the awaiting core review label Feb 2, 2026

picnixz reviewed Feb 2, 2026

View reviewed changes

Use "warning", not "danger"

79e135c

sethmlarson requested a review from picnixz February 2, 2026 21:55

picnixz approved these changes Feb 2, 2026

View reviewed changes

bedevere-app bot added awaiting merge and removed awaiting core review labels Feb 2, 2026

vstinner approved these changes Feb 3, 2026

View reviewed changes

encukou merged commit 4e15b8d into python:main Feb 3, 2026
47 of 56 checks passed

github-project-automation bot moved this from Todo to Done in Docs PRs Feb 3, 2026

bedevere-app bot removed the awaiting merge label Feb 3, 2026

encukou added awaiting merge needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes labels Feb 3, 2026

encukou added needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Feb 3, 2026

bedevere-app bot removed the needs backport to 3.10 only security fixes label Feb 3, 2026

bedevere-app bot removed the needs backport to 3.12 only security fixes label Feb 3, 2026

bedevere-app bot removed the needs backport to 3.11 only security fixes label Feb 3, 2026

bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Feb 3, 2026

bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Feb 3, 2026

sethmlarson deleted the os-path-commonprefix branch February 3, 2026 14:16

sethmlarson mentioned this pull request Feb 3, 2026

gh-74453: Deprecate os.path.commonprefix #144436

Open

Aniketsy pushed a commit to Aniketsy/cpython that referenced this pull request Feb 3, 2026

pythongh-74453: Add stronger security warning to os.path.commonprefix (…

c3b31ea

…pythonGH-144401)

Uh oh!

Conversation

sethmlarson commented Feb 2, 2026 • edited by github-actions bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

StanFromIreland left a comment

Choose a reason for hiding this comment

Uh oh!

picnixz Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

sethmlarson Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

StanFromIreland Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

sethmlarson Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

picnixz Feb 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

vstinner left a comment

Choose a reason for hiding this comment

Uh oh!

sethmlarson commented Feb 3, 2026

Uh oh!

Uh oh!

miss-islington-app bot commented Feb 3, 2026

Uh oh!

miss-islington-app bot commented Feb 3, 2026

Uh oh!

miss-islington-app bot commented Feb 3, 2026

Uh oh!

miss-islington-app bot commented Feb 3, 2026

Uh oh!

miss-islington-app bot commented Feb 3, 2026

Uh oh!

bedevere-app bot commented Feb 3, 2026

Uh oh!

bedevere-app bot commented Feb 3, 2026

Uh oh!

bedevere-app bot commented Feb 3, 2026

Uh oh!

bedevere-app bot commented Feb 3, 2026

Uh oh!

bedevere-app bot commented Feb 3, 2026

Uh oh!

sethmlarson commented Feb 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

sethmlarson commented Feb 2, 2026 •

edited by github-actions bot

Loading

picnixz Feb 2, 2026 •

edited

Loading