On Wednesday 17 February 2010 18:21:59 Matthew Toseland wrote:
> + private static final boolean operatingSystemIsWindows() { // TODO: Move
> to the proper class + try {
> + return
> System.getProperty("os.name").toLowerCase().indexOf("win") >= 0;
> + } catch(Throwable t) {
> + return true; // :)
> + }
> + }
>
> IMHO this is dodgy, other OSs might have "win" in them. Normally we just
> check if File.separator is "\".Generally if we're not on Windows then more characters are allowed in filenames so false positives are better than false negatives. > I am not convinced that the rest of the change is a good idea. For example > allowing HTML markup in filenames might combine with sloppy code to cause > problems. Allowing % in url's might again cause issues. Allowing pipes, <>, > and spaces might cause problems with filenames copied to a shell. I guess > it should depend on the configuration i.e. how paranoid the user is. I think you're being too paranoid here. Filenames are like one of the first things which are implemented in a new operating system, if any operating system is exploitable only via special characters in filenames then it is not our problem. And we should just fix our % encoder instead of being paranoid about problems with it. I guess I will have a look at it now....
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list [email protected] http://osprey.vm.bytemark.co.uk/cgi-bin/mailman/listinfo/devl
