|
|
Am 16.02.2011 20:51, schrieb Darren New:
> clipka wrote:
>>> STOP, that is no bug, that is by design!
>>
>> What? You mean that it strips any "../.." ???
>
> One would think that at worst the bug would be "it silently gives the
> wrong result instead of reporting an error."
>
> If the intention is to disallow ".." at the start of the string for
> security purposes, it should give an error rather than point at a
> different file (which would be its own security problem right there). If
> it's not security-related, I'm really curious how this could be
> considered a feature.
From the code it is pretty obvious that the original intention is to
eliminate ".." from paths like "foo/bar/../fnord" by contracting it to
"foo/../fnord" - no security stuff intended there.
Also note that paths having the form "../foo" are passed unharmed.
Post a reply to this message
|
|