Does This Scare You?

[Steve D'Aprano]

On Mon, 22 Aug 2016 08:33 pm, Jon Ribbens wrote:

> On 2016-08-22, Steve D'Aprano <steve+python at pearwood.info> wrote:
>> On Mon, 22 Aug 2016 10:38 am, eryk sun wrote:
>>> To me it's scary that this check misses cases because it's trying to
>>> be cross-platform instead of simply relying on GetFullPathName to do
>>> the work. For example, it misses at least the following cases:
>>
>> Instead of shaking in your boots over a simple bug in a non-critical
>> library, how about reporting these cases on the bug tracker with an
>> explanation of the problem?
> 
> That seems a rather unnecessarily harsh response.

Eryksun bought into Lawrence's over-the-top rhetorical question "does this
scare you?" by answering "Yes", and repeating the ridiculous term "scary".
He specifically said that it scares him *because* it is cross-platform
code, as if cross-platform code is a bad thing.

Now I'm sure that Eryksun isn't *actually* scared of cross-platform code.
I'm sure he is quite capable of using (say) os.listdir() without widdling
himself in terror *wink*. And I don't know if he was intentionally using
the word "scary" or whether it was just an ill-thought out choice of words.
Either way, yes, I'm making a gentle dig at Eryksun for exaggerating the
magnitude of the supposed problem and for taking something which is clearly
a mere bug and treating it as a feature that is broken by design.

There's nothing wrong with writing cross-platform code, and there's no
reason why non-Windows users shouldn't be permitted to explicitly query
whether a file name could be valid on a Windows system.


> Also, it's not "non-critical", this is a security bug.

How is this a security bug? What's the nature of the vulnerability?




-- 
Steve
“Cheer up,” they said, “things could be worse.” So I cheered up, and sure
enough, things got worse.