[dmd-internals] Tighten security on file imports

Walter Bright walter at digitalmars.com
Sun Feb 21 20:18:31 PST 2010

I think your patch is good for Posix, but not for Windows. I'll leave 
the existing code for Windows. I agree it's more restrictive than 
necessary, but I don't know all the tricks people use on these things, 
so I thought it best to err on the safe side.

Leandro Lucarella wrote:
> Hi, I just saw the changeset 389[1], and I think this is going the wrong
> way. Security should be tighten, but trying to keep the restrictions on
> files as much as possible (not the other way).
> What is the point on not allowing, for example, "+", "-", " " and a whole
> lot of harmless chars? I really can't understand that change.
> Related to this is bug 3420[2] (with a partial, Linux/Posix-only, patch
> written by me), why tries to keep security loosing restrictions.
> You even accept "." chars in the name (in the dumb check for valid
> characters), which is the most harmful char that ever existed =)
> [1] http://www.dsource.org/projects/dmd/changeset/389
> [2] http://d.puremagic.com/issues/show_bug.cgi?id=3420

More information about the dmd-internals mailing list