diff options
| author | Harmen Stoppels <harmenstoppels@gmail.com> | 2023-07-24 12:30:47 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-07-24 12:30:47 +0200 |
| commit | 0fff219aa4483cfbed6bb947b13a340b46e6aa71 (patch) | |
| tree | aa417bec0cd2337da601c68f95c59f8c6771472d /SECURITY.md | |
| parent | ac3c0a434702d5ce378fd8a826032582297fe79f (diff) | |
| download | spack-0fff219aa4483cfbed6bb947b13a340b46e6aa71.tar.gz spack-0fff219aa4483cfbed6bb947b13a340b46e6aa71.tar.bz2 spack-0fff219aa4483cfbed6bb947b13a340b46e6aa71.tar.xz spack-0fff219aa4483cfbed6bb947b13a340b46e6aa71.zip | |
Fix broken `sanitize_file_path` (#38926)
The sanitization function is completely bogus as it tries to replace /
on unix after ... splitting on it. The way it's implemented is very
questionable: the input is a file name, not a path. It doesn't make
sense to interpret the input as a path and then make the components
valid -- you'll interpret / in a filename as a dir separator.
It also fails to deal with path components that contain just unsupported
characters (resulting in empty component).
The correct way to deal with this is to have a function that takes a
potential file name and replaces unsupported characters.
I'm not going to fix the other issues on Windows, such as reserved file
names, but left a note, and hope that @johnwparent can fix that
separately.
(Obviously we wouldn't have this problem at all if we just fixed the
filename in a safe way instead of trying to derive something from
the url; we could use the content digest when available for example)
Diffstat (limited to 'SECURITY.md')
0 files changed, 0 insertions, 0 deletions