-Validate user input before using it to construct a file path, either using an off-the-shelf library function
-like werkzeug.utils.secure_filename, or by performing custom validation.
+Validate paths constructed from untrusted user input before using them to access files.
-Ideally, follow these rules: +The choice of validation depends on the use case.
-
+If you want to allow paths spanning multiple folders, a common strategy is to make sure that the constructed
+file path is contained within a safe root folder. First, normalize the path using os.path.normpath or
+os.path.realpath (make sure to use the latter if symlinks are a consideration)
+to remove any internal ".." segments and/or follow links. Then check that the normalized path starts with the
+root folder. Note that the normalization step is important, since otherwise even a path that starts with the root
+folder could be used to access files outside the root folder.
+
+More restrictive options include using a library function like werkzeug.utils.secure_filename to eliminate
+any special characters from the file path, or restricting the path to a known list of safe paths. These options are
+safe, but can only be used in particular circumstances.
+