[Django] #32725: Release notes for 2.2.21 are incomplete, or the code is too strict
Django
------------------------------------------+------------------------
Reporter: Ned Batchelder | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------+------------------------
It seems to me that the release note for 2.2.21 is incomplete. It says,
"Specifically, empty file names and paths with dot segments will be
rejected."
But it's stricter than that: any path component causes the path to be
rejected:
> if name != os.path.basename(name):
> raise SuspiciousFileOperation("File name '%s' includes path
elements" % name)
Is this level of strictness necessary?
--
Ticket URL: <https://code.djangoproject.com/ticket/32725>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Ned Batchelder | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.2
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Description changed by Ned Batchelder:
Old description:
> It seems to me that the release note for 2.2.21 is incomplete. It says,
> "Specifically, empty file names and paths with dot segments will be
> rejected."
>
> But it's stricter than that: any path component causes the path to be
> rejected:
>
> > if name != os.path.basename(name):
> > raise SuspiciousFileOperation("File name '%s' includes path
> elements" % name)
>
> Is this level of strictness necessary?
New description:
It seems to me that the release note for 2.2.21 is incomplete. It says,
"Specifically, empty file names and paths with dot segments will be
rejected."
But it's stricter than that: any path component causes the path to be
rejected:
```
if name != os.path.basename(name):
raise SuspiciousFileOperation("File name '%s' includes path
elements" % name)
```
Is this level of strictness necessary?
--
--
Ticket URL: <https://code.djangoproject.com/ticket/32725#comment:1>
Django
Reporter: Ned Batchelder | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.2
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Description changed by Ned Batchelder:
Old description:
> It seems to me that the release note for 2.2.21 is incomplete. It says,
> "Specifically, empty file names and paths with dot segments will be
> rejected."
>
> But it's stricter than that: any path component causes the path to be
> rejected:
>
> ```
> if name != os.path.basename(name):
> raise SuspiciousFileOperation("File name '%s' includes path
> elements" % name)
> ```
>
> Is this level of strictness necessary?
New description:
It seems to me that the release note for 2.2.21 is incomplete. It says,
"Specifically, empty file names and paths with dot segments will be
rejected."
But it's stricter than that: any path component causes the path to be
rejected:
{{{
if name != os.path.basename(name):
raise SuspiciousFileOperation("File name '%s' includes path
elements" % name)
}}}
Is this level of strictness necessary?
--
--
Ticket URL: <https://code.djangoproject.com/ticket/32725#comment:2>
Django
Reporter: Ned Batchelder | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.2
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Description changed by Ned Batchelder:
Old description:
> It seems to me that the release note for 2.2.21 is incomplete. It says,
> "Specifically, empty file names and paths with dot segments will be
> rejected."
>
> But it's stricter than that: any path component causes the path to be
> rejected:
>
> {{{
> if name != os.path.basename(name):
> raise SuspiciousFileOperation("File name '%s' includes path
> elements" % name)
> }}}
>
> Is this level of strictness necessary?
New description:
It seems to me that the release note for 2.2.21 is incomplete. It says,
"Specifically, empty file names and paths with dot segments will be
rejected."
But it's stricter than that: any path component causes the path to be
rejected:
{{{
if name != os.path.basename(name):
raise SuspiciousFileOperation("File name '%s' includes path elements"
% name)
}}}
Is this level of strictness necessary?
--
--
Ticket URL: <https://code.djangoproject.com/ticket/32725#comment:3>
Django
Reporter: Ned Batchelder | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.2
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Ned Batchelder):
Looks like this is a dup of https://code.djangoproject.com/ticket/32718
--
Ticket URL: <https://code.djangoproject.com/ticket/32725#comment:4>
Django
Reporter: Ned Batchelder | Owner: nobody
Component: Uncategorized | Version: 2.2
Severity: Normal | Resolution: duplicate
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Ned Batchelder):
* status: new => closed
* resolution: => duplicate
--
Ticket URL: <https://code.djangoproject.com/ticket/32725#comment:5>