GH-126601: pathname2url(): handle NTFS alternate data streams by barneygale · Pull Request #126760 · python/cpython (original) (raw)

I haven't tracked down what functions are impacted, but my assumption would be that existing users may notice behaviour changes where the path is an arbitrary input.

I'm most concerned about opening up a potential exploit, especially since alternate streams are not commonly used (and would rarely traverse a URL). Perhaps there's a scenario that's worth the risk to have the change, but I'm not aware of it, so I'm inclined to play it safe on a strict correctness issue that isn't actively hurting anyone.