Steve Dower added the comment:

It's certainly exploitable for remote code execution if user data allows 
embedded nulls (can you URL encode %00?). The fixes look fine and shouldn't 
cause any new issues, though I thought that fsencode() already rejected 
embedded nulls - maybe I'm thinking of the argument converter though, which is 
not invoked here.

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue30730>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to