[dmd-internals] Tighten security on file imports
walter at digitalmars.com
Sun Feb 21 20:18:31 PST 2010
I think your patch is good for Posix, but not for Windows. I'll leave
the existing code for Windows. I agree it's more restrictive than
necessary, but I don't know all the tricks people use on these things,
so I thought it best to err on the safe side.
Leandro Lucarella wrote:
> Hi, I just saw the changeset 389, and I think this is going the wrong
> way. Security should be tighten, but trying to keep the restrictions on
> files as much as possible (not the other way).
> What is the point on not allowing, for example, "+", "-", " " and a whole
> lot of harmless chars? I really can't understand that change.
> Related to this is bug 3420 (with a partial, Linux/Posix-only, patch
> written by me), why tries to keep security loosing restrictions.
> You even accept "." chars in the name (in the dumb check for valid
> characters), which is the most harmful char that ever existed =)
>  http://www.dsource.org/projects/dmd/changeset/389
>  http://d.puremagic.com/issues/show_bug.cgi?id=3420
More information about the dmd-internals