On 19/03/17 02:27 AM, Kat Kioo wrote:
>In general you should just remove the functions at compile time instead of removing at runtime in the vm. Another thing that you might consider a security ossue is your makesafeph function. In general it is not as simple as a few regex replaces.
Not really sure how to imagine the first part. Sounds complicated.
makeSafePath does not use regex. It checks for a relative path that escapes its parent directory (".."), if it doesn't the user dir is prefixed and the result returned. I tried finding out if there is anything else special going on with paths under windows, but the best I could find was a msdn article that didn't reveal anything new. When fed with an absolute path the function should return an invalid path. I'll probably do check for that and just return nil.
--David