The dangerous, exquisite art of safely handing user-uploaded files: Tom Eastman (was: Does This Scare You?)
Chris Angelico
rosuav at gmail.com
Mon Aug 22 13:33:50 EDT 2016
On Tue, Aug 23, 2016 at 3:32 AM, Tim Chase
<python.list at tim.thechases.com> wrote:
> On 2016-08-23 02:20, Chris Angelico wrote:
>> It generally will (or rather, only if the file has one of a
>> particular set of extensions). Automatic thumbnailing is usually
>> done only for certain file names. I don't know of anything that
>> opens every single file to see if it has a JFIF signature (etc for
>> PNG and whatever other types).
>
> How about a web server that opens arbitrary files. Compare any of
>
> https://technet.microsoft.com/en-us/library/nonexistent.aspx
> https://technet.microsoft.com/en-us/library/doesnotexist.aspx
> https://technet.microsoft.com/en-us/library/asdf.aspx
>
> vs
>
> https://technet.microsoft.com/en-us/library/con.aspx
> https://technet.microsoft.com/en-us/library/lpt1.aspx
> https://technet.microsoft.com/en-us/library/com1.aspx
> https://technet.microsoft.com/en-us/library/nul.aspx
>
> This is FREAKING MICROSOFT and it breaks things. It's not like
> anybody would open arbitrarily-named files...
Oh, brilliant. Brilliant brilliant brilliant.
ChrisA
More information about the Python-list
mailing list