Jan. 15, 2013
8:36 a.m.
Vinay Sajip wrote:
Isn't the requirement to recurse implied by the presence of '**' in the pattern? What's to be gained by specifying it using allow_recursive as well? Will having allow_recursive=True have any effect if '**' is not in the pattern? If you specify a pattern with '**' and allow_recursive=False, does that mean that '**' effectively acts as '*' would (i.e. one directory level only)?
The glob string may come from the user or a remote source. It is possible that developer using glob has never considered "**" might be added, leading to an attacker accessing files in directories they are not allowed to, or DoS attacks because glob becomes very slow. Jeremy