On Thursday, November 21, 2013 5:53:21 AM UTC-8, Chris Nelson wrote: > > >> I believe we've found an edge case which isn't correctly caught by the > >> *match_request() *method in attachment.py:462 > >> <http://trac.edgewall.org/browser/trunk/trac/attachment.py#L462<http://www.google.com/url?q=http%3A%2F%2Ftrac.edgewall.org%2Fbrowser%2Ftrunk%2Ftrac%2Fattachment.py%23L462&sa=D&sntz=1&usg=AFQjCNHvFdREs_Vw12QGNTUifYUxKeSavA>>. > >> > > >> > >> If a filename contains a new line character (e.g. in our case a line > >> feed), then it will never be picked up by the match_request method as > >> the final match group (.*) doesn't account for new lines. > >> > >> One suggested patch would be to add the *re.S* flag to the match, but I > >> wanted to check if anyone knew of any issues (e.g. security) which > might > >> arise from this, particularly if any other places in Trac Core assume > >> that a filename doesn't contain a new line character. > > > > My personal feeling is to discourage such an insane filename (report it > > in a warning?) in the first place. Neither have I encountered such a > > wired filename before nor can I see a valid use case and consequently > > the need to support it. Is this unrealistic thinking? > > I agree. Spaces in file names is one thing but vertical white space? > That's insane. >
I'm in agreement on the insane aspect of it, but it seems to work just fine to create a file with a linefeed character on TracStandalone: $ echo "Some text" > "myfile " The linefeed character is encoded as %0A: myfile%0A <https://lh4.googleusercontent.com/-y6QkNTiqtro/Uo6LbqcPqwI/AAAAAAAABBo/DJvL67oPARs/s1600/pic.png> -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-dev+unsubscr...@googlegroups.com. To post to this group, send email to trac-dev@googlegroups.com. Visit this group at http://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/groups/opt_out.
