modules.raku.org icon indicating copy to clipboard operation
modules.raku.org copied to clipboard
verified publisher icon Raku

Module names with `../` in their name

Open AlexDaniel opened this issue 7 years ago • 0 comments

Go here: https://modules.perl6.org/search/?q=foo You will find a module called ../Foo.

image

Clicking on it leads to this url:

https://modules.perl6.org/Foo:github:Aleks-Daniel%20Jakimenko-Aleksejev

Instead of something like this (where ../ needs to be escaped):

https://modules.perl6.org/dist/../Foo:github:Aleks-Daniel%20Jakimenko-Aleksejev

If I understand correctly, that's not a vulnerability by itself. I think links constructed with url_for can't have custom unescaped html in them. But it's still something that needs to be fixed.

AlexDaniel avatar Nov 20 '18 21:11 AlexDaniel