On Tue, May 01, 2007 at 10:00:00AM +0100, Smylers wrote: : That'll make it easy for people porting PHP scripts to Perl 6 -- in : particular for those wanting to port the security hole where a CGI : parameter is used to form part of a filename opened by a script but a : malicious user can supply a URL instead and cause the program to do : things very different from what it intended.
PHP's security hole is that it treats tainting as NIH. Putting http: on the front of a filename is only one of several ways to attack open, and open is far from the only spot vulnerable to injection attacks. Larry
