Does This Scare You?

[Steve D'Aprano]

On Mon, 22 Aug 2016 10:56 pm, Random832 wrote:

> On Mon, Aug 22, 2016, at 08:39, Chris Angelico wrote:
>> Nope. On Windows, you would try/except it.
> 
> No, you can't, because the failure mode often isn't "file refuses to
> open" but "data is written to a serial port".

Ah, that's a good point. I hadn't thought of that.

But... what are the consequences if you write to the serial port? Unless you
actually have an external device plugged into it, isn't that equivalent to
writing to /dev/null? (Bytes go into the serial port, and just disappear.)
The user uploads their file, and cleverly fools you into discarding their
file? I'm not seeing how this is an attack.


I suppose they could write to CON and display a lot of garbage on the
screen. But if you're running this on Windows, surely you've already dealt
with these issues, in which case it's a non-issue. Or you haven't dealt
with them, in which case it's an existing bug and the code Lawrence
demonstrated doesn't change anything.



>> There are myriad other ways
>> something could fail, and the only correct action is to attempt it.
>> Most of the reserved names will simply give an error; the only way
>> you'd actually get incorrect behaviour is if the file name, including
>> extension, is exactly a device name.
> 
> I think the reason you believe this can be traced back to the
> "C:\con\con" trick, which crashed the system by trying to use the name
> as a directory.

\con\con hasn't been an issue since Windows 98. If you're running your web
application under Win 98, you deserve to be blue-screened :-)




-- 
Steve
“Cheer up,” they said, “things could be worse.” So I cheered up, and sure
enough, things got worse.