[issue13238] Add shell command helpers to shutil module
Antoine Pitrou
report at bugs.python.org
Sat Oct 29 13:16:52 CEST 2011
Antoine Pitrou <pitrou at free.fr> added the comment:
> With the default whitespace escaping (which allows spaces in
> filenames), wildcard matching still works (thus the list of
> directories matching the "../py*" pattern), but with full quoting it
> breaks (thus the "nothing named '../py*'" result).
My question is why it would be a good idea to make a difference between
whitespace and other characters. If you use a wildcard pattern,
generally it won't contain spaces at all, so you don't have to quote it.
If you are injecting a normal filename, noticing that whitespace gets
quoted may get you a false sense of security until somebody injects a
wildcard character that won't get quoted.
So what I'm saying is that a middleground between quoting and no quoting
is dangerous and not very useful.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13238>
_______________________________________
More information about the Python-bugs-list
mailing list