-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21.11.2013 13:56, Ian Clark wrote: > Hi all, > > I believe we've found an edge case which isn't correctly caught by the > *match_request() *method in attachment.py:462 > <http://trac.edgewall.org/browser/trunk/trac/attachment.py#L462>. > > If a filename contains a new line character (e.g. in our case a line > feed), then it will never be picked up by the match_request method as > the final match group (.*) doesn't account for new lines. > > One suggested patch would be to add the *re.S* flag to the match, but I > wanted to check if anyone knew of any issues (e.g. security) which might > arise from this, particularly if any other places in Trac Core assume > that a filename doesn't contain a new line character.
My personal feeling is to discourage such an insane filename (report it in a warning?) in the first place. Neither have I encountered such a wired filename before nor can I see a valid use case and consequently the need to support it. Is this unrealistic thinking? Steffen Hoffmann -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlKODTMACgkQ31DJeiZFuHcDfwCg51NcUpd3/dLkKu73VYfhFbGm lpgAmwbU61uUAjKsKLOok+YqUY0KDfhD =F4z5 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-dev+unsubscr...@googlegroups.com. To post to this group, send email to trac-dev@googlegroups.com. Visit this group at http://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/groups/opt_out.
