Message 326867 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	Michael.Felt, jkloth, vstinner
Date	2018-10-02.08:36:01
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1538469361.99.0.545547206417.issue34711@psf.upfronthosting.co.za>
In-reply-to

Content
Jeremy Kloth: "This is also an issue on Windows when the target path resides within a junction, paths outside of a junction respond (err, fail) as expected." https://developercommunity.visualstudio.com/content/problem/272379/createfile-non-error-on-filename-with-trailing-bac.html I don't know the behavior on Windows. I tried to create a file name "a\" (U+0061, U+005C): I get an OSError "invalid argument" (error 22). I confirm that in a junction point, I am able to: * open an existing file with an additional trailing antislash (U+005C): the extra character is simply ignored and I am able to open the file * create a new file with an additional trailing antislash (U+005C): the filename is created without the trailing antislash On the PR, I wrote: > There are much more functions which "open a file". Open Python/fileutils.c for a few mores. What about os.open()? What about all other functions which accept a filename and then call a third party library which calls open() directly? Ok, let me give some examples of function which directly open a file: * fileutils.c: _Py_open(), _Py_open_noraise(), _Py_wfopen(), _Py_fopen(), _Py_fopen_obj() * os.open() * _io.FileIO, _pyio.FileIO (use os.open()) Ok... But there are other functions to access files... stat()/fstat() functions: * fileutils.c: _Py_fstat_noraise(), _Py_fstat(), _Py_stat() * Modules/getpath.c: _Py_wstat() * os.stat(), os.lstat(), os.fstat() To start to have a better ideas of how many functions accept filenames, open also Lib/shutil.py. shutil.copyfile() uses os.stat(), but then it uses os.symlink() and open()... So what about os.symlink()? Ok, here I only listen a few examples of functions which are "controlled" by Python. But there are many wrappers to 3rd party libraries which accept a filename. Examples: * _ssl.SSLContext.load_cert_chain() * sqlite3.connect() * etc. Where is the limit? How many functions must be patched in Python? How do we patch OpenSSL and SQLite libraries? Python is designed as a thin wrapper to the operating system. IMHO Python must not validate the filename itself. -- > Going back to issue17234 - there has been a test to check that a URL with a trailing slash reports 404 status. IMHO you must fix a single place: the SimpleHTTPServer, not all code handling the filesytem. Same remark for AIX and Windows junctions. I suggest to reject this issue.

Jeremy Kloth: "This is also an issue on Windows when the target path resides within a junction, paths outside of a junction respond (err, fail) as expected."
https://developercommunity.visualstudio.com/content/problem/272379/createfile-non-error-on-filename-with-trailing-bac.html

I don't know the behavior on Windows. I tried to create a file name "a\" (U+0061, U+005C): I get an OSError "invalid argument" (error 22).

I confirm that in a junction point, I am able to:

* open an existing file with an additional trailing antislash (U+005C): the extra character is simply ignored and I am able to open the file

* create a new file with an additional trailing antislash (U+005C): the filename is created without the trailing antislash

On the PR, I wrote:

> There are much more functions which "open a file". Open Python/fileutils.c for a few mores. What about os.open()? What about all other functions which accept a filename and then call a third party library which calls open() directly?

Ok, let me give some examples of function which directly open a file:

* fileutils.c: _Py_open(), _Py_open_noraise(), _Py_wfopen(), _Py_fopen(), _Py_fopen_obj()
* os.open()
* _io.FileIO, _pyio.FileIO (use os.open())

Ok... But there are other functions to access files... stat()/fstat() functions:

* fileutils.c: _Py_fstat_noraise(), _Py_fstat(), _Py_stat()
* Modules/getpath.c: _Py_wstat()
* os.stat(), os.lstat(), os.fstat()

To start to have a better ideas of how many functions accept filenames, open also Lib/shutil.py. shutil.copyfile() uses os.stat(), but then it uses os.symlink() and open()... So what about os.symlink()?

Ok, here I only listen a *few* examples of functions which are "controlled" by Python. But there are *many* wrappers to 3rd party libraries which accept a filename. Examples:

* _ssl.SSLContext.load_cert_chain()
* sqlite3.connect()
* etc.

Where is the limit? How many functions must be patched in Python? How do we patch OpenSSL and SQLite libraries?

Python is designed as a thin wrapper to the operating system. IMHO Python must not validate the filename itself.

--

> Going back to issue17234 - there has been a test to check that a URL with a trailing slash reports 404 status.

IMHO you must fix a single place: the SimpleHTTPServer, not all code handling the filesytem.

Same remark for AIX and Windows junctions.

I suggest to reject this issue.

History
Date	User	Action	Args
2018-10-02 08:36:02	vstinner	set	recipients: + vstinner, jkloth, Michael.Felt
2018-10-02 08:36:01	vstinner	set	messageid: <1538469361.99.0.545547206417.issue34711@psf.upfronthosting.co.za>
2018-10-02 08:36:01	vstinner	link	issue34711 messages
2018-10-02 08:36:01	vstinner	create