-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21.11.2013 13:56, Ian Clark wrote: > Hi all, > > I believe we've found an edge case which isn't correctly caught by the > *match_request() *method in attachment.py:462 > <http://trac.edgewall.org/browser/trunk/trac/attachment.py#L462>. > > If a filename contains a new line character (e.g. in our case a line > feed), then it will never be picked up by the match_request method as > the final match group (.*) doesn't account for new lines. > > One suggested patch would be to add the *re.S* flag to the match, but I > wanted to check if anyone knew of any issues (e.g. security) which might > arise from this, particularly if any other places in Trac Core assume > that a filename doesn't contain a new line character.
My personal feeling is to discourage such an insane filename (report it in a warning?) in the first place. Neither have I encountered such a wired filename before nor can I see a valid use case and consequently the need to support it. Is this unrealistic thinking? Steffen Hoffmann -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlKODTMACgkQ31DJeiZFuHcDfwCg51NcUpd3/dLkKu73VYfhFbGm lpgAmwbU61uUAjKsKLOok+YqUY0KDfhD =F4z5 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/groups/opt_out.
