Discussion about preventing . and .. in object paths.

[TBK145]

Hi,

I recently found out that when doing operations like "get_object" with paths like "." and ".." you are able to retrieve information about buckets and retrieve files from different buckets. At least in our system, with a locally hosted S3 storage.

S3.get_object("some_bucket", "..") would return all buckets, and using that information, S3.get_object("some_bucket", "../another_bucket") would return (the first 1000) objects of 'another_bucket'. And then by using that information you would be able to get objects from a different bucket.

On one hand this all looks kinda valid, and obviously you can still only access files you have the rights to, but it doesn't feel right.

So I wanted to maybe start a short discussion about if the library should be blocking object operations to ".", ".." and paths starting with "./" and "../".

Thanks