On Thursday, November 21, 2013 4:56:23 AM UTC-8, Ian Clark wrote: > > Hi all, > > I believe we've found an edge case which isn't correctly caught by the > *match_request() > *method in > attachment.py:462<http://trac.edgewall.org/browser/trunk/trac/attachment.py#L462>. > > > > If a filename contains a new line character (e.g. in our case a line > feed), then it will never be picked up by the match_request method as the > final match group (.*) doesn't account for new lines. > > One suggested patch would be to add the *re.S* flag to the match, but I > wanted to check if anyone knew of any issues (e.g. security) which might > arise from this, particularly if any other places in Trac Core assume that > a filename doesn't contain a new line character. > > Kind regards, > > Ian >
Ian, Do you actually have a file in your Trac system that has an embedded newline? If so, how did it get there (e.g. upload through browser, trac-admin add, XmlRpc attachment add, ...)? We should make sure to cover that case in the patch for #11395. -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/groups/opt_out.
