NAME¶
Perl::Critic::Policy::InputOutput::RequireEncodingWithUTF8Layer - Write
"open $fh, q{<:encoding(UTF-8)}, $filename;" instead of
"open $fh, q{{<:utf8}, $filename;".
AFFILIATION¶
This Policy is part of the core Perl::Critic distribution.
DESCRIPTION¶
Use of the ":utf8" I/O layer (as opposed to
":encoding(UTF8)" or ":encoding(UTF-8)") was suggested in
the Perl documentation up to version 5.8.8. This may be OK for output, but on
input ":utf8" does not validate the input, leading to unexpected
results.
An exploit based on this behavior of ":utf8" is exhibited on PerlMonks
at <
http://www.perlmonks.org/?node_id=644786>. The exploit involves a
string read from an external file and sanitized with "m/^(\w+)$/",
where $1 nonetheless ends up containing shell meta-characters.
To summarize:
open $fh, '<:utf8', 'foo.txt'; # BAD
open $fh, '<:encoding(UTF8)', 'foo.txt'; # GOOD
open $fh, '<:encoding(UTF-8)', 'foo.txt'; # BETTER
See the Encode documentation for the difference between "UTF8" and
"UTF-8". The short version is that "UTF-8" implements the
Unicode standard, and "UTF8" is liberalized.
For consistency's sake, this policy checks files opened for output as well as
input, For complete coverage it also checks "binmode()" calls, where
the direction the operation can not be determined.
CONFIGURATION¶
This Policy is not configurable except for the standard options.
NOTES¶
Because "Perl::Critic" does a static analysis, this policy can not
detect cases like
my $encoding = ':utf8';
binmode $fh, $encoding;
where the encoding is computed.
SEE ALSO¶
PerlIO
Encode
"perldoc -f binmode"
<
http://www.socialtext.net/perl5/index.cgi?the_utf8_perlio_layer>
<
http://www.perlmonks.org/?node_id=644786>
AUTHOR¶
Thomas R. Wyant, III
wyant at cpan dot org
COPYRIGHT¶
Copyright (c) 2010-2011 Thomas R. Wyant, III
This program is free software; you can redistribute it and/or modify it under
the same terms as Perl itself.