Does This Scare You?
Jon Ribbens
jon+usenet at unequivocal.eu
Mon Aug 22 07:50:25 EDT 2016
On 2016-08-22, Chris Angelico <rosuav at gmail.com> wrote:
> On Mon, Aug 22, 2016 at 8:33 PM, Jon Ribbens <jon+usenet at unequivocal.eu> wrote:
>> On 2016-08-22, Steve D'Aprano <steve+python at pearwood.info> wrote:
>>> On Mon, 22 Aug 2016 10:38 am, eryk sun wrote:
>>>> To me it's scary that this check misses cases because it's trying to
>>>> be cross-platform instead of simply relying on GetFullPathName to do
>>>> the work. For example, it misses at least the following cases:
>>>
>>> Instead of shaking in your boots over a simple bug in a non-critical
>>> library, how about reporting these cases on the bug tracker with an
>>> explanation of the problem?
>>
>> That seems a rather unnecessarily harsh response.
>> Also, it's not "non-critical", this is a security bug.
>
> Explain how?
I don't know what purpose you are envisaging this function being used
for, but the only one I can think of is input sanitisation. e.g. a web
form where you receive a file from the Internet and store it somewhere,
and you want to use the filename given to you rather than choose your
own randomly-generated one.
Under Unix all you need to do is check for the filename starting with
"." or containing "/." (or "/", depending on your requirements).
Under Windows you would use this function, which apparently doesn't
work, hence: security hole.
More information about the Python-list
mailing list