On MSWindows, I just found out that, apparently for compatability with legacy DOS rules, various file names, like "con", are magic no matter where they are in the directory tree nor what their extension is. Reading from */con.* in particular reads the keyboard.
This means that giving Bob the ability to create files in a particular subdirectory on MSWindows also gives Bob the ability to read the user's keyboard!!
It is not at all clear what the right fix for this is.
Log in to post a comment.