line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Perl::Critic::Policy::InputOutput::RequireEncodingWithUTF8Layer; |
2
|
|
|
|
|
|
|
|
3
|
40
|
|
|
40
|
|
27110
|
use 5.010001; |
|
40
|
|
|
|
|
177
|
|
4
|
40
|
|
|
40
|
|
276
|
use strict; |
|
40
|
|
|
|
|
107
|
|
|
40
|
|
|
|
|
914
|
|
5
|
40
|
|
|
40
|
|
226
|
use warnings; |
|
40
|
|
|
|
|
114
|
|
|
40
|
|
|
|
|
1020
|
|
6
|
|
|
|
|
|
|
|
7
|
40
|
|
|
40
|
|
278
|
use Readonly; |
|
40
|
|
|
|
|
111
|
|
|
40
|
|
|
|
|
2008
|
|
8
|
|
|
|
|
|
|
|
9
|
40
|
|
|
40
|
|
304
|
use Perl::Critic::Utils qw{ :severities :ppi }; |
|
40
|
|
|
|
|
448
|
|
|
40
|
|
|
|
|
2131
|
|
10
|
40
|
|
|
40
|
|
6434
|
use parent 'Perl::Critic::Policy'; |
|
40
|
|
|
|
|
141
|
|
|
40
|
|
|
|
|
308
|
|
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
our $VERSION = '1.150'; |
13
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
|
#----------------------------------------------------------------------------- |
15
|
|
|
|
|
|
|
|
16
|
|
|
|
|
|
|
Readonly::Scalar my $DESC => q{I/O layer ":utf8" used}; |
17
|
|
|
|
|
|
|
Readonly::Scalar my $EXPL => q{Use ":encoding(UTF-8)" to get strict validation}; |
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
Readonly::Scalar my $THREE_ARGUMENT_OPEN => 3; |
20
|
|
|
|
|
|
|
Readonly::Hash my %RECOVER_ENCODING => ( |
21
|
|
|
|
|
|
|
binmode => \&_recover_binmode_encoding, |
22
|
|
|
|
|
|
|
open => \&_recover_open_encoding, |
23
|
|
|
|
|
|
|
); |
24
|
|
|
|
|
|
|
|
25
|
|
|
|
|
|
|
#----------------------------------------------------------------------------- |
26
|
|
|
|
|
|
|
|
27
|
89
|
|
|
89
|
0
|
1610
|
sub supported_parameters { return () } |
28
|
74
|
|
|
74
|
1
|
341
|
sub default_severity { return $SEVERITY_HIGHEST } |
29
|
74
|
|
|
74
|
1
|
376
|
sub default_themes { return qw(core bugs security) } |
30
|
36
|
|
|
36
|
1
|
121
|
sub applies_to { return 'PPI::Token::Word' } |
31
|
|
|
|
|
|
|
|
32
|
|
|
|
|
|
|
#----------------------------------------------------------------------------- |
33
|
|
|
|
|
|
|
|
34
|
|
|
|
|
|
|
sub violates { |
35
|
358
|
|
|
358
|
1
|
668
|
my ($self, $elem, $document) = @_; |
36
|
|
|
|
|
|
|
|
37
|
358
|
50
|
|
|
|
605
|
my $handler = $RECOVER_ENCODING{ $elem->content() } |
38
|
|
|
|
|
|
|
or return; # If we don't have a handler, we're not interested. |
39
|
0
|
0
|
|
|
|
|
my $encoding = $handler->( parse_arg_list( $elem ) ) |
40
|
|
|
|
|
|
|
or return; # If we can't recover an encoding, we give up. |
41
|
0
|
0
|
|
|
|
|
return if $encoding !~ m/ (?: \A | : ) utf8 \b /smxi; # OK |
42
|
|
|
|
|
|
|
|
43
|
0
|
|
|
|
|
|
return $self->violation( $DESC, $EXPL, $elem ); |
44
|
|
|
|
|
|
|
} |
45
|
|
|
|
|
|
|
|
46
|
|
|
|
|
|
|
#----------------------------------------------------------------------------- |
47
|
|
|
|
|
|
|
|
48
|
|
|
|
|
|
|
# my $string = _get_argument_string( $arg[1] ); |
49
|
|
|
|
|
|
|
# |
50
|
|
|
|
|
|
|
# This subroutine returns the string from the given argument (which must |
51
|
|
|
|
|
|
|
# be a reference to an array of PPI objects), _PROVIDED_ the array |
52
|
|
|
|
|
|
|
# contains a single PPI::Token::Quote object. Otherwise it simply |
53
|
|
|
|
|
|
|
# returns, since we're too stupid to analyze anything else. |
54
|
|
|
|
|
|
|
|
55
|
|
|
|
|
|
|
sub _get_argument_string { |
56
|
0
|
|
|
0
|
|
|
my ( $arg ) = @_; |
57
|
0
|
0
|
|
|
|
|
ref $arg eq 'ARRAY' or return; |
58
|
0
|
0
|
0
|
|
|
|
return if @{ $arg } == 0 || @{ $arg } > 1; |
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
59
|
0
|
0
|
|
|
|
|
return $arg->[0]->string() if $arg->[0]->isa( 'PPI::Token::Quote' ); |
60
|
0
|
|
|
|
|
|
return; |
61
|
|
|
|
|
|
|
} |
62
|
|
|
|
|
|
|
|
63
|
|
|
|
|
|
|
#----------------------------------------------------------------------------- |
64
|
|
|
|
|
|
|
|
65
|
|
|
|
|
|
|
# my $encoding = _recover_binmode_encoding( _parse_arg_list( $elem ) ); |
66
|
|
|
|
|
|
|
# |
67
|
|
|
|
|
|
|
# This subroutine returns the encoding specified by the given $elem, |
68
|
|
|
|
|
|
|
# which _MUST_ be the 'binmode' of a binmode() call. |
69
|
|
|
|
|
|
|
|
70
|
|
|
|
|
|
|
sub _recover_binmode_encoding { |
71
|
0
|
|
|
0
|
|
|
my ( @args ) = @_; |
72
|
0
|
|
|
|
|
|
return _get_argument_string( $args[1] ); |
73
|
|
|
|
|
|
|
} |
74
|
|
|
|
|
|
|
|
75
|
|
|
|
|
|
|
#----------------------------------------------------------------------------- |
76
|
|
|
|
|
|
|
|
77
|
|
|
|
|
|
|
# my $encoding = _recover_open_encoding( _parse_arg_list( $elem ) ); |
78
|
|
|
|
|
|
|
# |
79
|
|
|
|
|
|
|
# This subroutine returns the encoding specified by the given $elem, |
80
|
|
|
|
|
|
|
# which _MUST_ be the 'open' of an open() call. |
81
|
|
|
|
|
|
|
|
82
|
|
|
|
|
|
|
sub _recover_open_encoding { |
83
|
0
|
|
|
0
|
|
|
my ( @args ) = @_; |
84
|
0
|
0
|
|
|
|
|
@args < $THREE_ARGUMENT_OPEN |
85
|
|
|
|
|
|
|
and return; |
86
|
0
|
0
|
|
|
|
|
defined( my $string = _get_argument_string( $args[1] ) ) |
87
|
|
|
|
|
|
|
or return; |
88
|
0
|
|
|
|
|
|
$string =~ s/ [+]? (?: < | >{1,2} ) //smx; |
89
|
0
|
|
|
|
|
|
return $string; |
90
|
|
|
|
|
|
|
} |
91
|
|
|
|
|
|
|
|
92
|
|
|
|
|
|
|
1; |
93
|
|
|
|
|
|
|
|
94
|
|
|
|
|
|
|
__END__ |
95
|
|
|
|
|
|
|
|
96
|
|
|
|
|
|
|
#----------------------------------------------------------------------------- |
97
|
|
|
|
|
|
|
|
98
|
|
|
|
|
|
|
=pod |
99
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
=for stopwords PerlIO PerlMonks Wiki |
101
|
|
|
|
|
|
|
|
102
|
|
|
|
|
|
|
=head1 NAME |
103
|
|
|
|
|
|
|
|
104
|
|
|
|
|
|
|
Perl::Critic::Policy::InputOutput::RequireEncodingWithUTF8Layer - Write C<< open $fh, q{<:encoding(UTF-8)}, $filename; >> instead of C<< open $fh, q{<:utf8}, $filename; >>. |
105
|
|
|
|
|
|
|
|
106
|
|
|
|
|
|
|
=head1 AFFILIATION |
107
|
|
|
|
|
|
|
|
108
|
|
|
|
|
|
|
This Policy is part of the core L<Perl::Critic|Perl::Critic> |
109
|
|
|
|
|
|
|
distribution. |
110
|
|
|
|
|
|
|
|
111
|
|
|
|
|
|
|
|
112
|
|
|
|
|
|
|
=head1 DESCRIPTION |
113
|
|
|
|
|
|
|
|
114
|
|
|
|
|
|
|
Use of the C<:utf8> I/O layer (as opposed to C<:encoding(UTF8)> or |
115
|
|
|
|
|
|
|
C<:encoding(UTF-8)>) was suggested in the Perl documentation up to |
116
|
|
|
|
|
|
|
version 5.8.8. This may be OK for output, but on input C<:utf8> does not |
117
|
|
|
|
|
|
|
validate the input, leading to unexpected results. |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
An exploit based on this behavior of C<:utf8> is exhibited on PerlMonks |
120
|
|
|
|
|
|
|
at L<http://www.perlmonks.org/?node_id=644786>. The exploit involves a |
121
|
|
|
|
|
|
|
string read from an external file and sanitized with C<m/^(\w+)$/>, |
122
|
|
|
|
|
|
|
where C<$1> nonetheless ends up containing shell meta-characters. |
123
|
|
|
|
|
|
|
|
124
|
|
|
|
|
|
|
To summarize: |
125
|
|
|
|
|
|
|
|
126
|
|
|
|
|
|
|
open $fh, '<:utf8', 'foo.txt'; # BAD |
127
|
|
|
|
|
|
|
open $fh, '<:encoding(UTF8)', 'foo.txt'; # GOOD |
128
|
|
|
|
|
|
|
open $fh, '<:encoding(UTF-8)', 'foo.txt'; # BETTER |
129
|
|
|
|
|
|
|
|
130
|
|
|
|
|
|
|
See the L<Encode|Encode> documentation for the difference between |
131
|
|
|
|
|
|
|
C<UTF8> and C<UTF-8>. The short version is that C<UTF-8> implements the |
132
|
|
|
|
|
|
|
Unicode standard, and C<UTF8> is liberalized. |
133
|
|
|
|
|
|
|
|
134
|
|
|
|
|
|
|
For consistency's sake, this policy checks files opened for output as |
135
|
|
|
|
|
|
|
well as input. For complete coverage it also checks C<binmode()> calls, |
136
|
|
|
|
|
|
|
where the direction of operation can not be determined. |
137
|
|
|
|
|
|
|
|
138
|
|
|
|
|
|
|
|
139
|
|
|
|
|
|
|
=head1 CONFIGURATION |
140
|
|
|
|
|
|
|
|
141
|
|
|
|
|
|
|
This Policy is not configurable except for the standard options. |
142
|
|
|
|
|
|
|
|
143
|
|
|
|
|
|
|
|
144
|
|
|
|
|
|
|
=head1 NOTES |
145
|
|
|
|
|
|
|
|
146
|
|
|
|
|
|
|
Because C<Perl::Critic> does a static analysis, this policy can not |
147
|
|
|
|
|
|
|
detect cases like |
148
|
|
|
|
|
|
|
|
149
|
|
|
|
|
|
|
my $encoding = ':utf8'; |
150
|
|
|
|
|
|
|
binmode $fh, $encoding; |
151
|
|
|
|
|
|
|
|
152
|
|
|
|
|
|
|
where the encoding is computed. |
153
|
|
|
|
|
|
|
|
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
=head1 SEE ALSO |
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
L<PerlIO|PerlIO> |
158
|
|
|
|
|
|
|
|
159
|
|
|
|
|
|
|
L<Encode|Encode> |
160
|
|
|
|
|
|
|
|
161
|
|
|
|
|
|
|
C<perldoc -f binmode> |
162
|
|
|
|
|
|
|
|
163
|
|
|
|
|
|
|
L<http://www.socialtext.net/perl5/index.cgi?the_utf8_perlio_layer> |
164
|
|
|
|
|
|
|
|
165
|
|
|
|
|
|
|
L<http://www.perlmonks.org/?node_id=644786> |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
=head1 AUTHOR |
168
|
|
|
|
|
|
|
|
169
|
|
|
|
|
|
|
Thomas R. Wyant, III F<wyant at cpan dot org> |
170
|
|
|
|
|
|
|
|
171
|
|
|
|
|
|
|
=head1 COPYRIGHT |
172
|
|
|
|
|
|
|
|
173
|
|
|
|
|
|
|
Copyright (c) 2010-2011 Thomas R. Wyant, III |
174
|
|
|
|
|
|
|
|
175
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify |
176
|
|
|
|
|
|
|
it under the same terms as Perl itself. |
177
|
|
|
|
|
|
|
|
178
|
|
|
|
|
|
|
=cut |
179
|
|
|
|
|
|
|
|
180
|
|
|
|
|
|
|
# Local Variables: |
181
|
|
|
|
|
|
|
# mode: cperl |
182
|
|
|
|
|
|
|
# cperl-indent-level: 4 |
183
|
|
|
|
|
|
|
# fill-column: 78 |
184
|
|
|
|
|
|
|
# indent-tabs-mode: nil |
185
|
|
|
|
|
|
|
# c-indentation-style: bsd |
186
|
|
|
|
|
|
|
# End: |
187
|
|
|
|
|
|
|
# ex: set ts=8 sts=4 sw=4 tw=78 ft=perl expandtab shiftround : |