On Wed, 2 Mar 2016 13:31:55 +1300, I wrote:
A Google engineer has published a detailed exposé on how Microsoft Windows handles file and directory pathnames (as opposed to how it is documented to handle them) <http://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32-to-nt.html> (found from <http://www.theregister.co.uk/2016/03/01/windows_path_hacks/>).
I started a discussion <https://groups.google.com/d/msg/comp.lang.python/zlrgsANRjRU/oAJe2qTECQAJ> on comp.lang.python about the API that newer versions of Python add to try to help you deal with this. It turns out the cross-platform code is not entirely correct <https://groups.google.com/d/msg/comp.lang.python/zlrgsANRjRU/KxR5_udkCgAJ>. And if you think that the Python developers are perhaps not so smart, bear in mind even Microsoft cannot correctly filter out such dangerous pathnames on its own websites <https://groups.google.com/d/msg/comp.lang.python/zlrgsANRjRU/7R80uTKcCgAJ>.