On Mon, Aug 22, 2016 at 9:50 PM, Jon Ribbens <jon+use...@unequivocal.eu> wrote: > On 2016-08-22, Chris Angelico <ros...@gmail.com> wrote: >> On Mon, Aug 22, 2016 at 8:33 PM, Jon Ribbens <jon+use...@unequivocal.eu> >> wrote: >>> On 2016-08-22, Steve D'Aprano <steve+pyt...@pearwood.info> wrote: >>>> On Mon, 22 Aug 2016 10:38 am, eryk sun wrote: >>>>> To me it's scary that this check misses cases because it's trying to >>>>> be cross-platform instead of simply relying on GetFullPathName to do >>>>> the work. For example, it misses at least the following cases: >>>> >>>> Instead of shaking in your boots over a simple bug in a non-critical >>>> library, how about reporting these cases on the bug tracker with an >>>> explanation of the problem? >>> >>> That seems a rather unnecessarily harsh response. >>> Also, it's not "non-critical", this is a security bug. >> >> Explain how? > > I don't know what purpose you are envisaging this function being used > for, but the only one I can think of is input sanitisation. e.g. a web > form where you receive a file from the Internet and store it somewhere, > and you want to use the filename given to you rather than choose your > own randomly-generated one. > > Under Unix all you need to do is check for the filename starting with > "." or containing "/." (or "/", depending on your requirements). > Under Windows you would use this function, which apparently doesn't > work, hence: security hole.
Nope. On Windows, you would try/except it. There are myriad other ways something could fail, and the only correct action is to attempt it. Most of the reserved names will simply give an error; the only way you'd actually get incorrect behaviour is if the file name, including extension, is exactly a device name. (Caveat: My knowledge of Windows is rusty and my testing just now was cursory. I could be wrong.) So you can check for a few exact strings... or just slap some extra text onto the beginning or end of the file name (beginning meaning "after the last slash", not the beginning of the file *path*) and you're safe. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
