Does This Scare You?

Mon Aug 22 08:02:43 EDT 2016

On 2016年8月22日 08:33 pm, Jon Ribbens wrote:
> On 2016年08月22日, Steve D'Aprano <steve+python at pearwood.info> wrote:
>> On 2016年8月22日 10:38 am, eryk sun wrote:
>>> To me it's scary that this check misses cases because it's trying to
>>> be cross-platform instead of simply relying on GetFullPathName to do
>>> the work. For example, it misses at least the following cases:
>>>> Instead of shaking in your boots over a simple bug in a non-critical
>> library, how about reporting these cases on the bug tracker with an
>> explanation of the problem?
>> That seems a rather unnecessarily harsh response.

Eryksun bought into Lawrence's over-the-top rhetorical question "does this
scare you?" by answering "Yes", and repeating the ridiculous term "scary".
He specifically said that it scares him *because* it is cross-platform
code, as if cross-platform code is a bad thing.
Now I'm sure that Eryksun isn't *actually* scared of cross-platform code.
I'm sure he is quite capable of using (say) os.listdir() without widdling
himself in terror *wink*. And I don't know if he was intentionally using
the word "scary" or whether it was just an ill-thought out choice of words.
Either way, yes, I'm making a gentle dig at Eryksun for exaggerating the
magnitude of the supposed problem and for taking something which is clearly
a mere bug and treating it as a feature that is broken by design.
There's nothing wrong with writing cross-platform code, and there's no
reason why non-Windows users shouldn't be permitted to explicitly query
whether a file name could be valid on a Windows system.
> Also, it's not "non-critical", this is a security bug.

How is this a security bug? What's the nature of the vulnerability?
-- 
Steve
“Cheer up,” they said, “things could be worse.” So I cheered up, and sure
enough, things got worse.