[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: FindFirstFile vulnerability and Lua
- From: Alexander Gladysh <agladysh@...>
- Date: Fri, 28 Jan 2011 12:58:50 +0300
This is, most likely, not relevant to Lua, but it is never harms to check.
FindFirstFile call in Win32 API silently replaces ">" with "?" and "<"
with "*". This means that anyone who passes untrusted data to this
function, must filter these symbols out. (It makes sense to filter
them out anyway, I think, but PHP developers, apparently, did not
Note that FindFirstFile may be called implicitly, when working with
files using standard C API.
Article (in Russian):