On Mon, Aug 22, 2016 at 10:56 PM, Random832 <random...@fastmail.com> wrote: >> Most of the reserved names will simply give an error; the only way >> you'd actually get incorrect behaviour is if the file name, including >> extension, is exactly a device name. > > I think the reason you believe this can be traced back to the > "C:\con\con" trick, which crashed the system by trying to use the name > as a directory.
I tried things like "con.txt" and it simply failed (no such file or directory), without printing anything to the console. But as Eryk says, adding an underscore is safe; and to be honest, I wouldn't accept file names from untrusted sources on *any* system - at very least, I'd prefix/suffix them with something to ensure uniqueness, which would deal with this issue as a convenient side effect. (Or alternatively, I'd use arbitrary numbers or hashes as the file names, and store the originally-submitted file name in some sort of metadata repository, like a Postgres table.) So I still don't see this as a security problem, just a practicality one. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
