On 2016-08-22, Chris Angelico <ros...@gmail.com> wrote: > On Mon, Aug 22, 2016 at 8:33 PM, Jon Ribbens <jon+use...@unequivocal.eu> > wrote: >> On 2016-08-22, Steve D'Aprano <steve+pyt...@pearwood.info> wrote: >>> On Mon, 22 Aug 2016 10:38 am, eryk sun wrote: >>>> To me it's scary that this check misses cases because it's trying to >>>> be cross-platform instead of simply relying on GetFullPathName to do >>>> the work. For example, it misses at least the following cases: >>> >>> Instead of shaking in your boots over a simple bug in a non-critical >>> library, how about reporting these cases on the bug tracker with an >>> explanation of the problem? >> >> That seems a rather unnecessarily harsh response. >> Also, it's not "non-critical", this is a security bug. > > Explain how?
I don't know what purpose you are envisaging this function being used for, but the only one I can think of is input sanitisation. e.g. a web form where you receive a file from the Internet and store it somewhere, and you want to use the filename given to you rather than choose your own randomly-generated one. Under Unix all you need to do is check for the filename starting with "." or containing "/." (or "/", depending on your requirements). Under Windows you would use this function, which apparently doesn't work, hence: security hole. -- https://mail.python.org/mailman/listinfo/python-list