Open p5pRT opened 17 years ago
The documentation of File::Spec->catfile() says that it concatenates one or more directory names and a filename. But in fact it doesn't do much checking that what you passed it are individual path components; the 'filename' could itself be a path like a/b.
This could often be useful\, but on the other hand if you're intending to work with individual path components it would be nice to have a check that you really are supplying them. So if you call catfile('some_dir'\, $filename) you can be certain that you'll get back a file underneath some_dir - not a subdirectory several levels deep\, or outside some_dir altogether. This would be particularly useful when dealing with untrusted user input.
use File::Spec; print File::Spec->catfile('a'\, 'b'\, '../../../x');
In 'strict' mode this would throw an exception\, as would
print File::Spec->catfile('a'\, '/b'\, 'x');
or other cases where any of the arguments aren't atomic path components.
I'll be happy to write a patch for this if you agree with the principle.
The documentation of File::Spec->catfile() says that it concatenates one or more directory names and a filename. But in fact it doesn't do much checking that what you passed it are individual path components; the 'filename' could itself be a path like a/b.
This could often be useful\, but on the other hand if you're intending to work with individual path components it would be nice to have a check that you really are supplying them. So if you call catfile('some_dir'\, $filename) you can be certain that you'll get back a file underneath some_dir - not a subdirectory several levels deep\, or outside some_dir altogether. This would be particularly useful when dealing with untrusted user input.
use File::Spec; print File::Spec->catfile('a'\, 'b'\, '../../../x');
In 'strict' mode this would throw an exception\, as would
print File::Spec->catfile('a'\, '/b'\, 'x');
or other cases where any of the arguments aren't atomic path components.
I'll be happy to write a patch for this if you agree with the principle.
The documentation of File::Spec->catfile() says that it concatenates one or more directory names and a filename. But in fact it doesn't do much checking that what you passed it are individual path components; the 'filename' could itself be a path like a/b.
This could often be useful\, but on the other hand if you're intending to work with individual path components it would be nice to have a check that you really are supplying them. So if you call catfile('some_dir'\, $filename) you can be certain that you'll get back a file underneath some_dir - not a subdirectory several levels deep\, or outside some_dir altogether. This would be particularly useful when dealing with untrusted user input.
use File::Spec; print File::Spec->catfile('a'\, 'b'\, '../../../x');
In 'strict' mode this would throw an exception\, as would
print File::Spec->catfile('a'\, '/b'\, 'x');
or other cases where any of the arguments aren't atomic path components.
I'll be happy to write a patch for this if you agree with the principle.
The RT System itself - Status changed from 'new' to 'open'
Migrated from rt.perl.org#40680 (status was 'open')
Searchable as RT40680$