>> I believe we've found an edge case which isn't correctly caught by the >> *match_request() *method in attachment.py:462 >> <http://trac.edgewall.org/browser/trunk/trac/attachment.py#L462>. >> >> If a filename contains a new line character (e.g. in our case a line >> feed), then it will never be picked up by the match_request method as >> the final match group (.*) doesn't account for new lines. >> >> One suggested patch would be to add the *re.S* flag to the match, but I >> wanted to check if anyone knew of any issues (e.g. security) which might >> arise from this, particularly if any other places in Trac Core assume >> that a filename doesn't contain a new line character. > > My personal feeling is to discourage such an insane filename (report it > in a warning?) in the first place. Neither have I encountered such a > wired filename before nor can I see a valid use case and consequently > the need to support it. Is this unrealistic thinking?
I agree. Spaces in file names is one thing but vertical white space? That's insane. -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/groups/opt_out.
