Re: [WWdevel] [WWcvs] pg: SECURITY: tighter constraints on which macro files can be loaded without

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

on 11/28/06 2:34 PM Davide P. Cervone said the following:

>> This is the second attempt to close this hole. The previous attempt
>> assumed that | binds tighter than ^ and $, which is not true. (Noticed
>> by dpvc). It also failed to escape metacharacters in the file names.
> 
> One last thing with this:  I don't know if quotemeta does anything  
> with dots, but the dots in the file names will match any character  
> unless they are quoted to \. So "IO-pl" would load in unsafe mode.

Hi Davide,

quotemeta is pretty conservative. It escapes any non-word character. Just to check:

[sh002i@devel] ~/work/pg/lib/WeBWorK/PG$ perl -e 'print quotemeta("."), "\n"'
\.

Cool.
-sam

Re: [WWdevel] [WWcvs] pg: SECURITY: tighter constraints on which macro files can be loaded without

Re: [WWdevel] [WWcvs] pg: SECURITY: tighter constraints on which macro files can be loaded without restriction.