commit: bcbfa169080c8ffb4fd246826ca872935a691a80
parent ffca92e4cf4bda17314d454d5e36ecd8d0418472
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Tue, 5 Aug 2025 20:19:20 +0200
notes/unix-defects.xhtml: add paragraph about `../`
Diffstat:
1 file changed, 6 insertions(+), 0 deletions(-)
diff --git a/notes/unix-defects.xhtml b/notes/unix-defects.xhtml
@@ -66,6 +66,12 @@
Meaning that applications also often roll their own solution.<br />
Compare this to Haiku
</p>
+ <p>
+ Also I think <code>../</code> outside of an explicit query like <code>glob</code> was a mistake, specially as it works like a query.
+ For example if <code>../../../../../etc/passwd</code> resolves fine, so does <code>../../../../../../../../etc/passwd</code>.
+ <br />
+ Which means that preventing path traversal is done via defensive programming / hardening, rather than being careful about API usage.
+ </p>
<h3 id="fs_atom">Filesystem lack of transactions</h3>
<p>
