On Mon, 22 Aug 2016 10:56 pm, Random832 wrote: > On Mon, Aug 22, 2016, at 08:39, Chris Angelico wrote: >> Nope. On Windows, you would try/except it. > > No, you can't, because the failure mode often isn't "file refuses to > open" but "data is written to a serial port".
Ah, that's a good point. I hadn't thought of that. But... what are the consequences if you write to the serial port? Unless you actually have an external device plugged into it, isn't that equivalent to writing to /dev/null? (Bytes go into the serial port, and just disappear.) The user uploads their file, and cleverly fools you into discarding their file? I'm not seeing how this is an attack. I suppose they could write to CON and display a lot of garbage on the screen. But if you're running this on Windows, surely you've already dealt with these issues, in which case it's a non-issue. Or you haven't dealt with them, in which case it's an existing bug and the code Lawrence demonstrated doesn't change anything. >> There are myriad other ways >> something could fail, and the only correct action is to attempt it. >> Most of the reserved names will simply give an error; the only way >> you'd actually get incorrect behaviour is if the file name, including >> extension, is exactly a device name. > > I think the reason you believe this can be traced back to the > "C:\con\con" trick, which crashed the system by trying to use the name > as a directory. \con\con hasn't been an issue since Windows 98. If you're running your web application under Win 98, you deserve to be blue-screened :-) -- Steve “Cheer up,” they said, “things could be worse.” So I cheered up, and sure enough, things got worse. -- https://mail.python.org/mailman/listinfo/python-list
