On Thursday, November 21, 2013 5:53:21 AM UTC-8, Chris Nelson wrote: > > >> I believe we've found an edge case which isn't correctly caught by the > >> *match_request() *method in attachment.py:462 > >> <http://trac.edgewall.org/browser/trunk/trac/attachment.py#L462<http://www.google.com/url?q=http%3A%2F%2Ftrac.edgewall.org%2Fbrowser%2Ftrunk%2Ftrac%2Fattachment.py%23L462&sa=D&sntz=1&usg=AFQjCNHvFdREs_Vw12QGNTUifYUxKeSavA>>. > >> > > >> > >> If a filename contains a new line character (e.g. in our case a line > >> feed), then it will never be picked up by the match_request method as > >> the final match group (.*) doesn't account for new lines. > >> > >> One suggested patch would be to add the *re.S* flag to the match, but I > >> wanted to check if anyone knew of any issues (e.g. security) which > might > >> arise from this, particularly if any other places in Trac Core assume > >> that a filename doesn't contain a new line character. > > > > My personal feeling is to discourage such an insane filename (report it > > in a warning?) in the first place. Neither have I encountered such a > > wired filename before nor can I see a valid use case and consequently > > the need to support it. Is this unrealistic thinking? > > I agree. Spaces in file names is one thing but vertical white space? > That's insane. >
I'm in agreement on the insane aspect of it, but it seems to work just fine to create a file with a linefeed character on TracStandalone: $ echo "Some text" > "myfile " The linefeed character is encoded as %0A: myfile%0A <https://lh4.googleusercontent.com/-y6QkNTiqtro/Uo6LbqcPqwI/AAAAAAAABBo/DJvL67oPARs/s1600/pic.png> -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/groups/opt_out.
