Does This Scare You?
Chris Angelico
rosuav at gmail.com
Mon Aug 22 09:17:50 EDT 2016
On Mon, Aug 22, 2016 at 10:56 PM, Random832 <random832 at fastmail.com> wrote:
>> Most of the reserved names will simply give an error; the only way
>> you'd actually get incorrect behaviour is if the file name, including
>> extension, is exactly a device name.
>
> I think the reason you believe this can be traced back to the
> "C:\con\con" trick, which crashed the system by trying to use the name
> as a directory.
I tried things like "con.txt" and it simply failed (no such file or
directory), without printing anything to the console. But as Eryk
says, adding an underscore is safe; and to be honest, I wouldn't
accept file names from untrusted sources on *any* system - at very
least, I'd prefix/suffix them with something to ensure uniqueness,
which would deal with this issue as a convenient side effect. (Or
alternatively, I'd use arbitrary numbers or hashes as the file names,
and store the originally-submitted file name in some sort of metadata
repository, like a Postgres table.)
So I still don't see this as a security problem, just a practicality one.
ChrisA
More information about the Python-list
mailing list