Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.10] gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) #93543

Open
wants to merge 1 commit into
base: 3.10
Choose a base branch
from
Open

[3.10] gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) #93543

wants to merge 1 commit into from
+46 −4

Conversation

miss-islington
Copy link
Contributor

@miss-islington miss-islington commented Jun 6, 2022

(cherry picked from commit b9509ba)

Co-authored-by: Petr Viktorin encukou@gmail.com

@encukou @miss-islington
pythongh-68966: Make mailcap refuse to match unsafe filenames/types/p…
ae8ba91 
…arams (pythonGH-91993)

(cherry picked from commit b9509ba)

Co-authored-by: Petr Viktorin <encukou@gmail.com>
@miss-islington miss-islington requested a review from as a code owner Jun 6, 2022
@bedevere-bot bedevere-bot mentioned this pull request Jun 6, 2022
Merged
1 task
@encukou
Copy link
Member

@encukou encukou commented Jun 6, 2022

@gpshead said:

The failure scenario for an application where we simply start claiming no match (return None?) on potentially suspicious filenames seems acceptable. I doubt it would be a big deal to users if any even notice at all. So if you want to go forward with a PR like #91993 my gut feeling is that nobody is going to balk at the change, even in security only release branches.

@pablogsal, do you agree?

@pablogsal
Copy link
Member

@pablogsal pablogsal commented Jun 6, 2022

@gpshead said:

The failure scenario for an application where we simply start claiming no match (return None?) on potentially suspicious filenames seems acceptable. I doubt it would be a big deal to users if any even notice at all. So if you want to go forward with a PR like #91993 my gut feeling is that nobody is going to balk at the change, even in security only release branches.

@pablogsal, do you agree?

I agree, but I am still not confident on backporting it, so unless there is some clear consensus from everyone I would recommend to be cautious here.

@miss-islington
Copy link
Contributor Author

@miss-islington miss-islington commented Jun 6, 2022

Status check is done, and it's a success .

@encukou
Copy link
Member

@encukou encukou commented Jun 6, 2022

Who's "everyone"?
Not too many people are interested in mailcap :)

@pablogsal
Copy link
Member

@pablogsal pablogsal commented Jun 6, 2022
edited

Everyone is any core Dev interested on mailcap that want to voice their opinion. If nobody objects or everyone is just you and @gpshead then go ahead and merge it :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@python/email-team email-team

Assignees
No one assigned
Labels
awaiting review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@miss-islington @encukou @pablogsal @bedevere-bot