Message5859
Hi Anthony:
In msg5857 you said:
>Of course the best way is to check by applying the patch in
>my system.I'll try to review the patch in the next week.
That sounds good. If you can verify it works for you I will check in the
patch, the new tests I coded and the doc/upgradng.txt and
CHANGES.txt entries.
I don't think the jinja code path has any actual tests.
The test/test_jinja.py file looks like it has some setup/teardown and
a test that asserts that True is True. If you have some jinja tests,
please provide the patches and I will get them added.
In msg5856 you said:
> I think that all decoding is done in the upper level and
> we are working with character string representing a path
> part. [...]
> These are more likely my feelings than results of analyzing.
That's my feeling as well but I don't know the effects of the path when
passed to the OS. Does it strip the 8th bit under some locale/encoding
settings? How are the paths represented/converted for windows system
calls etc.
Since this is beyond my ability to analyse, I went with the safer way:
using the code to normalize the paths and determine the conversions. At
least doing it this way I don't look incompetent for following best
practices if it does not provide the protection we need.
I'll look forward to your report when trying the patch.
-- rouilj |
|
Date |
User |
Action |
Args |
2016-07-15 22:16:49 | rouilj | set | messageid: <1468621009.8.0.895909421993.issue2550891@psf.upfronthosting.co.za> |
2016-07-15 22:16:49 | rouilj | set | recipients:
+ rouilj, schlatterbeck, joseph_myers, antmail |
2016-07-15 22:16:49 | rouilj | link | issue2550891 messages |
2016-07-15 22:16:49 | rouilj | create | |
|