On Tue, Aug 23, 2016 at 12:34 AM, Random832 <random...@fastmail.com> wrote:
> On Mon, Aug 22, 2016, at 10:21, Ben Finney wrote:
>> So yes, filenames from arbitrary sources should be *completely*
>> untrusted, and never used to access any file on the system. Throw the
>> entire filename away and make a filename locally, without using any part
>> of the original name.
>
> To be fair, this particular case is unique in presenting a possibility
> to cause problems even for a filename that consists only of whitelisted
> characters (for a reasonable-sounding whitelist such as "ASCII letters
> and numbers and underscore only; all other characters to be scrubbed and
> replaced with {underscore, hex escape, nothing}"). I don't think there's
> any other precedent.Windows has some other issues, including that arbitrary files can become executable very easily (eg if %PATHEXT% includes its file extension), and since the current directory is always at the beginning of your path, this can easily turn into a remote code execution exploit. And any GUI that automatically calculates thumbnails from image files (this includes Windows, Mac OS, and more than one Linux window manager) could potentially be attacked via a malformed file, simply by having it appear on the file system. So the idea that some file names are dangerous is far FAR broader than "a file called prn.txt will get saved to the printer". ChrisA -- https://mail.python.org/mailman/listinfo/python-list
