Lasse Collin wrote:
> The patch makes readdir() detect that lossless conversion isn't
> possible and inform the application with EOVERFLOW
Yes, that's my understanding as well.
> instead of returning a made-up name that might even be dangerous.
This "might be dangerous" claim is IMO exaggerated, because
* When an attacker can control the file names on a user's disk,
they already have access to all user data.
* Such "made-up names" exist also on other file systems:
- Windows, for 30 years,
- Apple HFS+, which create unicode_decomposed(filename) when
you ask it to create filename,
- probably Linux with VFAT as well (depending on mount options).
> I don't see how this could affect open(), chdir(), etc. negatively.
My point is that your patch will make errors happen inside applications,
that did not occur before. With arbitrary consequences.
Without your patch, an application has the guarantee that when one of
the file system APIs has returned a file name, the other file system APIs
will be able to handle it (ignoring ENAMETOOLONG cases, which rarely occur
in practice). Your patch breaks this guarantee.
Therefore my request to do this change of conversion on *all* file system
APIs, or on none.
And when done on all file system APIs, in the scope of Gnulib, it's best
done via a transversal module (because doing it otherwise would be a huge
patch series that we cannot properly review).
Bruno
