Hi Anthony:

In msg5857 you said:
>Of course the best way is to check by applying the patch in
>my system.I'll try to review the patch in the next week.

That sounds good. If you can verify it works for you I will check in the
patch, the new tests I coded and the doc/upgradng.txt and
CHANGES.txt entries.

I don't think the jinja code path has any actual tests.
The test/test_jinja.py file looks like it has some setup/teardown and
a test that asserts that True is True. If you have some jinja tests,
please provide the patches and I will get them added.

In msg5856 you said:
> I  think  that  all  decoding  is  done  in the upper level and
> we are working   with   character   string  representing a path
> part. [...]
> These are more likely my feelings than results of analyzing.

That's my feeling as well but I don't know the effects of the path when
passed to the OS. Does it strip the 8th bit under some locale/encoding
settings? How are the paths represented/converted for windows system
calls etc.

Since this is beyond my ability to analyse, I went with the safer way:
using the code to normalize the paths and determine the conversions. At
least doing it this way I don't look incompetent for following best
practices if it does not provide the protection we need.

I'll look forward to your report when trying the patch.

-- rouilj