Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File::Spec strict mode - path components are just single components #8670

Open
p5pRT opened this issue Nov 5, 2006 · 4 comments
Open

File::Spec strict mode - path components are just single components #8670

p5pRT opened this issue Nov 5, 2006 · 4 comments
Labels
distro-cygwin type-utilities Wishlist

Comments

@p5pRT
Copy link

p5pRT commented Nov 5, 2006

Migrated from rt.perl.org#40680 (status was 'open')

Searchable as RT40680$
@p5pRT
Copy link
Author

p5pRT commented Jul 13, 2006

From @epa

Created by @epa

The documentation of File​::Spec->catfile() says that it concatenates
one or more directory names and a filename. But in fact it doesn't do
much checking that what you passed it are individual path components;
the 'filename' could itself be a path like a/b.

This could often be useful, but on the other hand if you're intending
to work with individual path components it would be nice to have a
check that you really are supplying them. So if you call
catfile('some_dir', $filename) you can be certain that you'll get back
a file underneath some_dir - not a subdirectory several levels deep,
or outside some_dir altogether. This would be particularly useful
when dealing with untrusted user input.

  use File​::Spec;
  print File​::Spec->catfile('a', 'b', '../../../x');

In 'strict' mode this would throw an exception, as would

  print File​::Spec->catfile('a', '/b', 'x');

or other cases where any of the arguments aren't atomic path
components.

I'll be happy to write a patch for this if you agree with the
principle.

Perl Info 

Flags:
    category=utilities
    severity=wishlist

Site configuration information for perl v5.8.7:

Configured by gerrit at Fri Dec 30 02:40:15     2005.

Summary of my perl5 (revision 5 version 8 subversion 7) configuration:
  Platform:
    osname=cygwin, osvers=1.5.18(0.13242), archname=cygwin-thread-multi-64int
    uname='cygwin_nt-5.1 inspiron 1.5.18(0.13242) 2005-07-02 20:30 i686 unknown unknown cygwin '
    config_args='-de -Dmksymlinks -Duse64bitint -Dusethreads -Uusemymalloc -Doptimize=-O3 -Dman3ext=3pm -Dusesitecustomize'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=define use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-DPERL_USE_SAFE_PUTENV -fno-strict-aliasing -pipe -I/usr/local/include',
    optimize='-O3',
    cppflags='-DPERL_USE_SAFE_PUTENV -fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='3.4.4 (cygming special) (gdc 0.12, using dmd 0.125)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='ld2', ldflags =' -s -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lgdbm -ldb -lcrypt -lgdbm_compat
    perllibs=-lcrypt -lgdbm_compat
    libc=/usr/lib/libc.a, so=dll, useshrplib=true, libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' -s'
    cccdlflags=' ', lddlflags=' -s -L/usr/local/lib'

Locally applied patches:
    SPRINTF0 - fixes for sprintf formatting issues - CVE-2005-3962


@INC for perl v5.8.7:
    /cygdrive/h/lib/perl5/site_perl/5.8/cygwin
    /cygdrive/h/lib/perl5/site_perl/5.8
    /usr/lib/perl5/5.8/cygwin
    /usr/lib/perl5/5.8
    /usr/lib/perl5/site_perl/5.8/cygwin
    /usr/lib/perl5/site_perl/5.8
    /usr/lib/perl5/site_perl/5.8/cygwin
    /usr/lib/perl5/site_perl/5.8
    /usr/lib/perl5/vendor_perl/5.8/cygwin
    /usr/lib/perl5/vendor_perl/5.8
    /usr/lib/perl5/vendor_perl/5.8/cygwin
    /usr/lib/perl5/vendor_perl/5.8
    .


Environment for perl v5.8.7:
    HOME=//wcl-fp1/users/eavis
    LANG=C
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/bin:/usr/bin:/usr/X11R6/bin:/cygdrive/c/Program Files/Insightful/splus70/:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/Program Files/Microsoft SQL Server/80/Tools/BINN:/cygdrive/h/winnt/gtk/bin:/cygdrive/c/blp/API:/cygdrive/h/winnt/bin:/cygdrive/h/bin:/usr/bin:/usr/bin:/usr/X11R6/bin:/cygdrive/c/Program Files/Insightful/splus70/:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/Program Files/Microsoft SQL Server/80/Tools/BINN:/cygdrive/h/winnt/gtk/bin:/cygdrive/c/blp/API
    PERL5LIB=/cygdrive/h/lib/perl5/site_perl/5.8
    PERL_BADLANG (unset)
    SHELL (unset)

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

@p5pRT
Copy link
Author

p5pRT commented Nov 5, 2006

From @epa

Created by @epa

The documentation of File​::Spec->catfile() says that it concatenates
one or more directory names and a filename. But in fact it doesn't do
much checking that what you passed it are individual path components;
the 'filename' could itself be a path like a/b.

This could often be useful, but on the other hand if you're intending
to work with individual path components it would be nice to have a
check that you really are supplying them. So if you call
catfile('some_dir', $filename) you can be certain that you'll get back
a file underneath some_dir - not a subdirectory several levels deep,
or outside some_dir altogether. This would be particularly useful
when dealing with untrusted user input.

  use File​::Spec;
  print File​::Spec->catfile('a', 'b', '../../../x');

In 'strict' mode this would throw an exception, as would

  print File​::Spec->catfile('a', '/b', 'x');

or other cases where any of the arguments aren't atomic path
components.

I'll be happy to write a patch for this if you agree with the
principle.

Perl Info 

Flags:
    category=utilities
    severity=wishlist

Site configuration information for perl v5.8.7:

Configured by gerrit at Fri Dec 30 02:40:15     2005.

Summary of my perl5 (revision 5 version 8 subversion 7) configuration:
  Platform:
    osname=cygwin, osvers=1.5.18(0.13242), archname=cygwin-thread-multi-64int
    uname='cygwin_nt-5.1 inspiron 1.5.18(0.13242) 2005-07-02 20:30 i686 unknown unknown cygwin '
    config_args='-de -Dmksymlinks -Duse64bitint -Dusethreads -Uusemymalloc -Doptimize=-O3 -Dman3ext=3pm -Dusesitecustomize'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=define use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-DPERL_USE_SAFE_PUTENV -fno-strict-aliasing -pipe -I/usr/local/include',
    optimize='-O3',
    cppflags='-DPERL_USE_SAFE_PUTENV -fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='3.4.4 (cygming special) (gdc 0.12, using dmd 0.125)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='ld2', ldflags =' -s -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lgdbm -ldb -lcrypt -lgdbm_compat
    perllibs=-lcrypt -lgdbm_compat
    libc=/usr/lib/libc.a, so=dll, useshrplib=true, libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' -s'
    cccdlflags=' ', lddlflags=' -s -L/usr/local/lib'

Locally applied patches:
    SPRINTF0 - fixes for sprintf formatting issues - CVE-2005-3962


@INC for perl v5.8.7:
    /cygdrive/h/lib/perl5/site_perl/5.8/cygwin
    /cygdrive/h/lib/perl5/site_perl/5.8
    /usr/lib/perl5/5.8/cygwin
    /usr/lib/perl5/5.8
    /usr/lib/perl5/site_perl/5.8/cygwin
    /usr/lib/perl5/site_perl/5.8
    /usr/lib/perl5/site_perl/5.8/cygwin
    /usr/lib/perl5/site_perl/5.8
    /usr/lib/perl5/vendor_perl/5.8/cygwin
    /usr/lib/perl5/vendor_perl/5.8
    /usr/lib/perl5/vendor_perl/5.8/cygwin
    /usr/lib/perl5/vendor_perl/5.8
    .


Environment for perl v5.8.7:
    HOME=//wcl-fp1/users/eavis
    LANG=C
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/bin:/usr/bin:/usr/X11R6/bin:/cygdrive/c/Program Files/Insightful/splus70/:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/Program Files/Microsoft SQL Server/80/Tools/BINN:/cygdrive/h/winnt/gtk/bin:/cygdrive/c/blp/API:/cygdrive/h/winnt/bin:/cygdrive/h/bin:/usr/bin:/usr/bin:/usr/X11R6/bin:/cygdrive/c/Program Files/Insightful/splus70/:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/Program Files/Microsoft SQL Server/80/Tools/BINN:/cygdrive/h/winnt/gtk/bin:/cygdrive/c/blp/API
    PERL5LIB=/cygdrive/h/lib/perl5/site_perl/5.8
    PERL_BADLANG (unset)
    SHELL (unset)

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________
�k�k-z��k+���Z��&N牺]|ם:߽�Ӥ^���=�a�ׯz���J�u�ܢ`ޖ+ޭ�S��iz�y��ei��z�^��&E������f��n��H����u���w�����n�m4�^t�~��M�yǢ��_����ƥ��-�BΕ��u�ޖ�)z�(�]��M[�Z�jXh��"���L�|&�v�N��N��M4���z+�v���]������$y��jX��_	�]�ӭyӭ��M4]*Z�+Z��
�����+z����|�׬��@`D��������
8����,����E]*Z�(^r@r���u�ޖ�)z�(���z+�u#ŝ뭭�q�ׯzZ(��ܢihq�i�X����z+�u���V��ׯzZ(��ܢa�,�uu�ޖ�)z�(����]��^�o)Z��^��h���r���ɭ�����"���L��{_	�]�ӭ<ӭ�ӽ4E������f��n��ȧ���u���ݶ�_	�]�ӭyӭ��M4
�b���u:)z�[�
^�Z+���z+�v���]�߭"��$y��jX��_	�]�ӭyӭ��M4E�����H�ij�1�ׯzZ(��ܢihq�i�X����z+�u����rƶ�jw(�q�:�rƶ�jw(�_x��{�M��V��ׯzZ(��ܢj��kiw�6����#�=;���n�m4�O4�^��M�yǢ��_���y�(���jw(�_x��{����ܱ��Z��&�&���bwM[��:k���^�{]]o���M4ٽ�o���;���n�m4�^��M��]4E�����~�&�M��M���0�jn���jw(�]6ߝ6�����뤭�Z��&��[�+���u�+a�#�>'P�
������^�V����N������M:׭6�ϴ�M�I3��Ơx������/{ӭ8�[���Z��&
�^N������M:׭9㟴�M������������ޅ�����jw(�K��������w^���w^t�h�v�,�m4�Nu���W��*'�D����n�)z�h���n7��,"��f�ۥy���{e�G�����اz�趋r����{^�����^��镨�r����n��������h��B�{^���j{�z�'r�b��ڱ��\��0���+����z�W4� ��؟��u]X����y��t(^rG�]X����y��t(^rG�\�]J��
�����jl]z�^��&\�]J��J֭��h�+l��ު��y�4��-����-40�������N4��<DK�A�8�U��\��\��H��Y���\�ܝ���܈��\������H���]�K��^P�Z˜�Y�[����K���[�\�]�Y���]�����H��[���و��\���Y�K�����[��[���[��\���\����K�K������KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKB����X\�H�[��\��[�\���\�ܝ���\�WB����H�������[������ܘ[N���\�H���]�����X�����	
H�����]���
	����JH����\�HH�����[����������H�H�B����JN���]��]�����H�������[���\��ܜ΂���[X�\����[�����\�H���\�]�܈�^��X��Y��]���\�������[�H����X\����\�HH����������
����[�H��YY�������Y�X��\�H��\�O�B��[��^��\��܈�]���\�������[�H����X\���H�Ȃ��[��^��\��܈�]���\�������[�H����X\���H�H��^�X�]�[ۈ�و��\������X�ܝ�Y���YH������\�[�]�[ۈ�\��ܜ˂��Y��[�H��[�]�H���H�������\�H�ۈ���H��X���]�[�H����
H���[����H����ܘ[H����[�������\��^��X��Y�����I�H�\�[���[�������\���Y���\�K���X�]\�H��]�\��ۙ\���Y[H�������X����]�[�H������[���ۈ��[�̋�B������X\�H����������[��H�[�]��[����[������\���[�WB�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKB�KKB���Y�΂�������]�Y�ܞO[�X��\�B�������]�\�]�O[YY�][B�KKB���\���\���Y���\���Z[���\�[����\����K���H�H��YH�\��M�MN�MN����B�]��\���Z[���^�X�]�Y�������H���\����K�K���H��Y���[�L�L��L��L��
�����]�H��ۙ�Y�\�]�[ۈ�[��ܛX]�[ۈ��܈��\����K�K������ۙ�Y�\�Y���H���]�Z��]���Y���[�L�L��L��L��
�����[[X\�H�و�^H��\�
H
��]�\�[ۈ
H��\��[ۈ�H��X��\��[ۈ
H��ۙ�Y�\�]�[ێ�������]��ܛN��������ۘ[YOST��[�̋���ݙ\��MK�K��\����[YOST��[�̋^�
�\�\��[������[�[YOI��������ۙ�Y��\���I�[��Y��������[��\�X��[Y[��Y���\�\���^�]��YK�����Y�X��[ۏ][��Y�������\�Z]���XY��][��Y���\�[][��\��X�]�O][��Y�������\�\�\��[�Y�Y�[�K����ٚ[�][��Y���\�[�\��Y�[�\�][��Y���\�\�����][��Y�������\�M���]�[��][��Y���\�M���]�[��][��Y���\�[�ۙ���X��O][��Y�������\�[^[X[����^K���[���\�]
L
O][��Y�������\�[�\����������I��	����ٛ�Y���I�[�������Qш�U���S���SQ��V�H�Q��P�Q��S���Q��S�̈��Q���Ӕ���H�Q�������P���Q��U�W��T�ѐԖT����Q��T����P�Q��S���T��U����Q�T�W��T��S��Q��T���TՐԕ�ԑPQ��V	�����������[Z^�OI�S���SQ��V�H�Q��P�Q��S���������������Y��I�Q��S�̉�������ݙ\��[ۏI�L�����
	�����ݙ\��[ۏI���������[���\��I�������[���^�OM����ۙ��^�OM�������^�OM�����X��\�^�ON����]�[ܙ�\�LL������������ۙ��ۙ�][��Y����ۙ��ۙ��^�ON������ۙ����Y�Y�[�K���ۙ�����^�OLL�������]��\�OI��ۙ����]��^�OM������\�OI���X��I������^�ON���ٙ���I�ٙ��	������YZ��^�OM�������[�Yۘ�]�\�N���������\�OY�Y�[�B�����[��\��[����X��\�Y\΂��������I��[���������Y���I�[�������[���Y�][���X��Y�X�Y���[�X��]����Η��\�
W��X���ԑH���[XX��[�N��
��������X����H�Η����ܘ[H��[�\��ZXܛ��ٝ���\�X[����Y�[����N���X���������X��H������[Y\˛�X���\��[̋��X��\�\�̋��X����L̋��X���[��������X�������Y���̋��X��Y��\�L̋��X����[�̋��X����L̋��X����X]]̋��X����]�\�L̋��X��]ZY���X���̗�̋��X��\����X���[�[K��X����\��[ۋ��X�������̋��X�������̋��X��\ݘܝ���X��������\���X��H������[Y\˛�X���\��[̋��X��\�\�̋��X����L̋��X����[��������X�����Y���̋��X��Y��\�L̋��X����[�̋��X����L̋��X�����X]]̋��X����]�\�L̋��X��]ZY���X���̗�̋��X��\����X���[�[K��X����\��[ۋ��X������̋��X�������̋��X��\ݘܝ���X��������X��[\ݘܝ���X�����Y�����\�\�����X�^Y\����X��\��\�\�
NK��X�������۝[�X��ݙ\��[ۏI������[�[ZX���[��[�΂��������ܘ�Y����[�̋�������^��Y����������[][�][��Y���������Y��I�	�������������Y��I�	���������Y��I�Y����[�������[���Y�][���X��Y�X�Y���[�X��]����Η��\�
W��X���ԑH���[XX��[�N��
������[��H�\���YY���]���\΂���KKB��S����܈��\����K�K���������΋��\�
K��X�������΋��\�
K��]�K��X����������KKB�[��\�ۛY[����܈��\����K�K�����������QH
�[��]
B�������S��
�[��]
B�������S��PQ�H
�[��]
B����������P��T�W��U��
�[��]
B����������T�
�[��]
B����U��PΗ��S�������\��[L̎�Η��S������Η��S�������\��[L̗�ؙ[N�Η��\�
W��[��N���ܚ\�����]����Η����ܘ[H���[�\���\��[�]\�
���Η����ܘ[H��[�\���X�\�W��S��[�]��\�H�����[�̎�Η����ܘ[H��[�\���X�\�W���\�Y���[�̎�Η����ܘ[H��[�\���X�\�W��S���[�]��\�H�����]�\���Η����ܘ[H��[�\���X�\�W���\�Y���X�\�H��[���[�����N�Η����ܘ[H��[�\��]ZX���[YW�U��\��[W��Η����ܘ[H���[�\��[���[����Y[���[���[����Y[��
K�H���ٙ\��[ۘ[���Y�]�[ۗ����ܘ[N�Η����ܘ[H���[�\���X��\��[ۗ��[��Η��U���W��S����Η��U���W��S��������T��АQ��S��
�[��]
B��������S��
�[��]
B��KH����KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��Y�[����\�]�]�[ۘ[������B�B���H�[��ܛX]�[ۈ��۝�Z[�Y��[����\��Y\��Y�H�[���[�H��[�\����[��Z]��Y���]���]��\�H��ۙ�Y�[��X[��[���[��[��Y���܈���H�Y���\��YJ��H�ۛ�K��Y��[�H��]�H��X�Z]�Y����\��Y\��Y�H�[��\��܈�܈���\�H�\�H�[�H���؛�[\�����X\�H����Y�H���H��[��\��[[YY�X]�[�K����H�[�]]��ܚ^�Y��\�K���\�����\�K�����Z[���܈�[��\�]�[ۈ�و���\��Y\��Y�H�\�����X���H��ܘ�Y��[������H���]��[�H��Y]���܈���[�[ۜ����\�[��Y��[����\��[XZ[��\�H����[�H�����H�و���H�]]��܈�[�����������X�\��\�[�H��\��\�[�������H�و��Y�[����\�]�]�[ۘ[���������H��X�\�Y[�
��H�و���\��Y\��Y�H����[�����X���]��[���[�H�]��X��Y���[�\���܈��\�\�\Έ��Y�[����\�]�]�[ۘ[���[���X��\�������XX�[�]�H��܈�[�H��[XY�H��]\�Y���H�[�H��\�\����[��Z]��Y���H���\��[XZ[���k�k-z��k+���Z��&Y�I�]}��7۝�Ӥ^���=�a�ׯz���J�u�ܢ`ޖ+ޭ�S��iz�y��ei��z�^��&E������f��_z󨧾��u���w�����n�m4�Ox�nt�M�yǢ��_����ƥ��-�BΕ��u�ޖ�)z�(�]��M[�Z�jXh��"���L�}&�v�N�����M4���z+�v���]}�͢��$y��jX��_I�]�ӭ=�}��M4]*Z�+Z��
�����+z����|�׬��@`D��������
8����,����E]*Z�(^r@r���u�ޖ�)z�(���z+�u#ŝ뭭�q�ׯzZ(��ܢihq�i�X����z+�u���V��ׯzZ(��ܢa�,�uu�ޖ�)z�(����]��^�o)Z��^��h���r���ɭ�����"���L��w_I�]�ӭ6�m�ӽ4E������f��_v�x����u���ݶ�_I�]�ӭ=�m��M4
�b���u:)z�[�
^�Z+���z+�v���]}�~���$y��jX��_I�]�ӭ=�m��M4E�����H�ij�1�ׯzZ(��ܢihq�i�X����z+�u����rƶ�jw(�q�:�rƶ�jw(�_x��{�M��V��ׯzZ(��ܢj��kiw�6����#�=g���n�m4�M��o4�M�yǢ��_���y�(���jw(�_x��{����ܱ��Z��&�&���bww{߮<�v��^�k]]o�={M4ٽ�o���g���n�m4�]7�^>�]4E�����~�&�M��M���0�jn���jw(�]6ߝ6�����뤭�Z��&��[�+���u�+a�#�>'J�
7��_��^�V����Y�u����M:�M�����M�I3��Ơx������`�ӭ4�ۤ��Z��&
�^Y�u����M:�N5�O��M������������ޅ�����jw(�K��������w^���w^t�h�v�,�m4�Nu���W��*'�D����n�)z�h���n7��,"��f�ۥy���{e�G�����اz�趋r����{^�����^��镨�r����n��������h��B�{^���j{�z�'r�b��ڱ��\��0���+����z�W4� ��؟��u]X����y��t(^rG�]X����y��t(^rG�\�]J��
�����jl]z�^��&\�]J��J֭��h�+l��ު��y�4��-����-40�������N4��<DK�A�8�V��X�ۙ��]��[\����H��Y������YH���H��\����ۙH���YH�����Y���B����\��\��H��Y���\�ܝ���܈��\������H���]�K��^P�Z˜�Y�[����K���[�\�]�Y���]�����H��[���و��\���Y�K��H��[��[���[��\���\��
K�K������KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKB����X\�H�[��\��[�\���\�ܝ���\�WB����H�������[������ܘ[N���\�H���]�����X�����	
H�����]���
	����JH����\�HH�����[����������H�H�B����JN���]��]�����H�������[���\��ܜ΂���[X�\����[�����\�H���\�]�܈�^��X��Y��]���\�������[�H����X\����\�HH����������
����[�H��YY�������Y�X��\�H��\�O�B��[��^��\��܈�]���\�������[�H����X\���H�Ȃ��[��^��\��܈�]���\�������[�H����X\���H�H��^�X�]�[ۈ�و��\������X�ܝ�Y���YH������\�[�]�[ۈ�\��ܜ˂��Y��[�H��[�]�H���H�������\�H�ۈ���H��X���]�[�H����
H���[����H����ܘ[H����[�������\��^��X��Y��������X\�H����������[��H�[�]��[����[������\���[�WB�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKB�KKB���Y�΂�������]�Y�ܞO[�X��\�B�������]�\�]�O[YY�][B�KKB��]�H��ۙ�Y�\�]�[ۈ�[��ܛX]�[ۈ��܈��\��
K�K������ۙ�Y�\�Y���H���]�Z��]���Y���[�L�L��L��L��
�����[[X\�H�و�^H��\�
H
��]�\�[ۈ
H��\��[ۈ�H��X��\��[ۈ
H��ۙ�Y�\�]�[ێ�������]��ܛN��������ۘ[YOST��[�̋���ݙ\��MK�K��\����[YOST��[�̋^�
�\�\��[������[�[YOI��������ۙ�Y��\���I�[��Y��������[��\�X��[Y[��Y���\�\���^�]��YK�����Y�X��[ۏ][��Y�������\�Z]���XY��][��Y���\�[][��\��X�]�O][��Y�������\�\�\��[�Y�Y�[�K����ٚ[�][��Y���\�[�\��Y�[�\�][��Y���\�\�����][��Y�������\�M���]�[��][��Y���\�M���]�[��][��Y���\�[�ۙ���X��O][��Y�������\�[^[X[����^K���[���\�]
L
O][��Y�������\�[�\����������I��	����ٛ�Y���I�[�������Qш�U���S���SQ��V�H�Q��P�Q��S���Q��S�̈��Q���Ӕ���H�Q�������P���Q��U�W��T�ѐԖT����Q��T����P�Q��S���T��U����Q�T�W��T��S��Q��T���TՐԕ�ԑPQ��V	�����������[Z^�OI�S���SQ��V�H�Q��P�Q��S���������������Y��I�Q��S�̉�������ݙ\��[ۏI�L�����
	�����ݙ\��[ۏI���������[���\��I�������[���^�OM����ۙ��^�OM�������^�OM�����X��\�^�ON����]�[ܙ�\�LL������������ۙ��ۙ�][��Y����ۙ��ۙ��^�ON������ۙ����Y�Y�[�K���ۙ�����^�OLL�������]��\�OI��ۙ����]��^�OM������\�OI���X��I������^�ON���ٙ���I�ٙ��	������YZ��^�OM�������[�Yۘ�]�\�N���������\�OY�Y�[�B�����[��\��[����X��\�Y\΂��������I��[���������Y���I�[�������[���Y�][���X��Y�X�Y���[�X��]����Η��\�
W��X���ԑH���[XX��[�N��
��������X����H�Η����ܘ[H��[�\��ZXܛ��ٝ���\�X[����Y�[����N���X���������X��H������[Y\˛�X���\��[̋��X��\�\�̋��X����L̋��X���[��������X�������Y���̋��X��Y��\�L̋��X����[�̋��X����L̋��X����X]]̋��X����]�\�L̋��X��]ZY���X���̗�̋��X��\����X���[�[K��X����\��[ۋ��X�������̋��X�������̋��X��\ݘܝ���X��������\���X��H������[Y\˛�X���\��[̋��X��\�\�̋��X����L̋��X����[��������X�����Y���̋��X��Y��\�L̋��X����[�̋��X����L̋��X�����X]]̋��X����]�\�L̋��X��]ZY���X���̗�̋��X��\����X���[�[K��X����\��[ۋ��X������̋��X�������̋��X��\ݘܝ���X��������X��[\ݘܝ���X�����Y�����\�\�����X�^Y\����X��\��\�\�
NK��X�������۝[�X��ݙ\��[ۏI������[�[ZX���[��[�΂��������ܘ�Y����[�̋�������^��Y����������[][�][��Y���������Y��I�	�������������Y��I�	���������Y��I�Y����[�������[���Y�][���X��Y�X�Y���[�X��]����Η��\�
W��X���ԑH���[XX��[�N��
������[��H�\���YY���]���\΂���KKB��S����܈��\��
K�K���������΋��\�
K��X�������΋��\�
K��]�K��X����������KKB�[��\�ۛY[����܈��\��
K�K�����������QH
�[��]
B�������S��
�[��]
B�������S��PQ�H
�[��]
B����������P��T�W��U��
�[��]
B����������T�
�[��]
B����U��PΗ��S�������\��[L̎�Η��S������Η��S�������\��[L̗�ؙ[N�Η��\�
W��[��N���ܚ\�����]����Η����ܘ[H���[�\���\��[�]\�
���Η����ܘ[H��[�\���X�\�W��S��[�]��\�H�����[�̎�Η����ܘ[H��[�\���X�\�W���\�Y���[�̎�Η����ܘ[H��[�\���X�\�W��S���[�]��\�H�����]�\���Η����ܘ[H��[�\���X�\�W���\�Y���X�\�H��[���[�����N�Η����ܘ[H��[�\��]ZX���[YW�U��\��[W��Η����ܘ[H���[�\��[���[����Y[���[���[����Y[��
K�H���ٙ\��[ۘ[���Y�]�[ۗ����ܘ[N�Η����ܘ[H���[�\���X��\��[ۗ��[��Η��U���W��S����Η��U���W��S��������T��АQ��S��
�[��]
B��������S��
�[��]
B����KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��Y�[����\�]�]�[ۘ[������B�B���H�[��ܛX]�[ۈ��۝�Z[�Y��[����\��Y\��Y�H�[���[�H��[�\����[��Z]��Y���]���]��\�H��ۙ�Y�[��X[��[���[��[��Y���܈���H�Y���\��YJ��H�ۛ�K��Y��[�H��]�H��X�Z]�Y����\��Y\��Y�H�[��\��܈�܈���\�H�\�H�[�H���؛�[\�����X\�H����Y�H���H��[��\��[[YY�X]�[�K����H�[�]]��ܚ^�Y��\�K���\�����\�K�����Z[���܈�[��\�]�[ۈ�و���\��Y\��Y�H�\�����X���H��ܘ�Y��[������H���]��[�H��Y]���܈���[�[ۜ����\�[��Y��[����\��[XZ[��\�H����[�H�����H�و���H�]]��܈�[�����������X�\��\�[�H��\��\�[�������H�و��Y�[����\�]�]�[ۘ[���������H��X�\�Y[�
��H�و���\��Y\��Y�H����[�����X���]��[���[�H�]��X��Y���[�\���܈��\�\�\Έ��Y�[����\�]�]�[ۘ[���[���X��\�������XX�[�]�H��܈�[�H��[XY�H��]\�Y���H�[�H��\�\����[��Z]��Y���H���\��[XZ[��

@p5pRT
Copy link
Author

p5pRT commented Nov 24, 2006

From guest@guest.guest.xxxxxxxx

The documentation of File​::Spec->catfile() says that it concatenates
one or more directory names and a filename. But in fact it doesn't do
much checking that what you passed it are individual path components;
the 'filename' could itself be a path like a/b.

This could often be useful, but on the other hand if you're intending
to work with individual path components it would be nice to have a
check that you really are supplying them. So if you call
catfile('some_dir', $filename) you can be certain that you'll get back
a file underneath some_dir - not a subdirectory several levels deep,
or outside some_dir altogether. This would be particularly useful
when dealing with untrusted user input.

  use File​::Spec;
  print File​::Spec->catfile('a', 'b', '../../../x');

In 'strict' mode this would throw an exception, as would

  print File​::Spec->catfile('a', '/b', 'x');

or other cases where any of the arguments aren't atomic path
components.

I'll be happy to write a patch for this if you agree with the
principle.

@p5pRT
Copy link
Author

p5pRT commented Nov 24, 2006

The RT System itself - Status changed from 'new' to 'open'

@xenu xenu removed the affects-5.8 label Nov 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
distro-cygwin type-utilities Wishlist
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xenu @p5pRT