Add comment explaining Windows-specific multiple_dots behavior

On Windows, Path.resolve() treats '....' as parent traversal (403), while on Unix it is a literal directory name that stays inside the base directory (404).
2026-02-19 16:05:35 -07:00 · 2026-02-08 07:55:48 -06:00
parent b8cad678b1
commit 2ceb6ee95b
1 changed files with 4 additions and 0 deletions
--- a/tests/dashboard/test_web_server.py
+++ b/tests/dashboard/test_web_server.py
@@ -538,6 +538,10 @@ async def test_download_binary_handler_subdirectory_file_url_encoded(
        pytest.param("//etc/passwd", 403, id="double_slash_absolute"),
        pytest.param(
            "....//secrets.yaml",
+            # On Windows, Path.resolve() treats "..." and "...." as parent
+            # traversal (like ".."), so the path escapes base_dir -> 403.
+            # On Unix, "...." is a literal directory name that stays inside
+            # base_dir but doesn't exist -> 404.
            403 if sys.platform == "win32" else 404,
            id="multiple_dots",
        ),