From 2ceb6ee95b1abfac7e323906f6df2b4d7fdec529 Mon Sep 17 00:00:00 2001
From: "J. Nick Koston" <nick@home-assistant.io>
Date: Sun, 8 Feb 2026 07:55:48 -0600
Subject: [PATCH] Add comment explaining Windows-specific multiple_dots
 behavior

On Windows, Path.resolve() treats '....' as parent traversal (403),
while on Unix it is a literal directory name that stays inside the
base directory (404).
---
 tests/dashboard/test_web_server.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tests/dashboard/test_web_server.py b/tests/dashboard/test_web_server.py
index 274cda3636..9ea7a5164b 100644
--- a/tests/dashboard/test_web_server.py
+++ b/tests/dashboard/test_web_server.py
@@ -538,6 +538,10 @@ async def test_download_binary_handler_subdirectory_file_url_encoded(
         pytest.param("//etc/passwd", 403, id="double_slash_absolute"),
         pytest.param(
             "....//secrets.yaml",
+            # On Windows, Path.resolve() treats "..." and "...." as parent
+            # traversal (like ".."), so the path escapes base_dir -> 403.
+            # On Unix, "...." is a literal directory name that stays inside
+            # base_dir but doesn't exist -> 404.
             403 if sys.platform == "win32" else 404,
             id="multiple_dots",
         ),