On Wednesday 17 February 2010 18:21:59 Matthew Toseland wrote:
> + private static final boolean operatingSystemIsWindows() { // TODO: Move
> to the proper class + try {
> + return
> System.getProperty("os.name").toLowerCase().indexOf("win") >= 0;
> + } catch(Throwable t) {
> + return true; // :)
> + }
> + }
>
> IMHO this is dodgy, other OSs might have "win" in them. Normally we just
> check if File.separator is "\".
Generally if we're not on Windows then more characters are allowed in filenames
so false positives are better than false negatives.
> I am not convinced that the rest of the change is a good idea. For example
> allowing HTML markup in filenames might combine with sloppy code to cause
> problems. Allowing % in url's might again cause issues. Allowing pipes, <>,
> and spaces might cause problems with filenames copied to a shell. I guess
> it should depend on the configuration i.e. how paranoid the user is.
I think you're being too paranoid here. Filenames are like one of the first
things which are implemented in a new operating system, if any operating
system is exploitable only via special characters in filenames then it is not
our problem. And we should just fix our % encoder instead of being paranoid
about problems with it. I guess I will have a look at it now....
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20100217/1448eedd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20100217/1448eedd/attachment.pgp>
