From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Tue, 3 Feb 2026 14:28:39 +0000 (+0100)
Subject: [3.14] gh-74453: Add stronger security warning to os.path.commonprefix
X-Git-Tag: v3.14.3~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=eb0790f2d79e0bead89ca5e42e9005a311f928d4;p=thirdparty%2FPython%2Fcpython.git

[3.14] gh-74453: Add stronger security warning to os.path.commonprefix

gh-74453: Add stronger security warning to os.path.commonprefix (GH-144401)
(cherry picked from commit 4e15b8d95da9a0f58ad58283979c37e43ff61229)

Co-authored-by: Seth Michael Larson <seth@python.org>
---

diff --git a/Doc/library/os.path.rst b/Doc/library/os.path.rst
index 4d3aa8b5c482..0f805de0fdec 100644
--- a/Doc/library/os.path.rst
+++ b/Doc/library/os.path.rst
@@ -97,15 +97,17 @@ the :mod:`glob` module.)
 
 .. function:: commonprefix(list, /)
 
-   Return the longest path prefix (taken character-by-character) that is a
-   prefix of all paths in  *list*.  If *list* is empty, return the empty string
+   Return the longest string prefix (taken character-by-character) that is a
+   prefix of all strings in *list*.  If *list* is empty, return the empty string
    (``''``).
 
-   .. note::
+   .. warning::
 
       This function may return invalid paths because it works a
-      character at a time.  To obtain a valid path, see
-      :func:`commonpath`.
+      character at a time.
+      If you need a **common path prefix**, then the algorithm
+      implemented in this function is not secure. Use
+      :func:`commonpath` for finding a common path prefix.
 
       ::