Hi all, I believe we've found an edge case which isn't correctly caught by the *match_request() *method in attachment.py:462<http://trac.edgewall.org/browser/trunk/trac/attachment.py#L462>.
If a filename contains a new line character (e.g. in our case a line feed), then it will never be picked up by the match_request method as the final match group (.*) doesn't account for new lines. One suggested patch would be to add the *re.S* flag to the match, but I wanted to check if anyone knew of any issues (e.g. security) which might arise from this, particularly if any other places in Trac Core assume that a filename doesn't contain a new line character. Kind regards, Ian -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-dev+unsubscr...@googlegroups.com. To post to this group, send email to trac-dev@googlegroups.com. Visit this group at http://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/groups/opt_out.
