Provided by: libperl-critic-perl_1.121-1_all
NAME
Perl::Critic::Policy::InputOutput::RequireEncodingWithUTF8Layer - Write "open $fh, q{<:encoding(UTF-8)}, $filename;" instead of "open $fh, q{{<:utf8}, $filename;".
AFFILIATION
This Policy is part of the core Perl::Critic distribution.
DESCRIPTION
Use of the ":utf8" I/O layer (as opposed to ":encoding(UTF8)" or ":encoding(UTF-8)") was suggested in the Perl documentation up to version 5.8.8. This may be OK for output, but on input ":utf8" does not validate the input, leading to unexpected results. An exploit based on this behavior of ":utf8" is exhibited on PerlMonks at <http://www.perlmonks.org/?node_id=644786>. The exploit involves a string read from an external file and sanitized with "m/^(\w+)$/", where $1 nonetheless ends up containing shell meta-characters. To summarize: open $fh, '<:utf8', 'foo.txt'; # BAD open $fh, '<:encoding(UTF8)', 'foo.txt'; # GOOD open $fh, '<:encoding(UTF-8)', 'foo.txt'; # BETTER See the Encode documentation for the difference between "UTF8" and "UTF-8". The short version is that "UTF-8" implements the Unicode standard, and "UTF8" is liberalized. For consistency's sake, this policy checks files opened for output as well as input, For complete coverage it also checks "binmode()" calls, where the direction the operation can not be determined.
CONFIGURATION
This Policy is not configurable except for the standard options.
NOTES
Because "Perl::Critic" does a static analysis, this policy can not detect cases like my $encoding = ':utf8'; binmode $fh, $encoding; where the encoding is computed.
SEE ALSO
PerlIO Encode "perldoc -f binmode" <http://www.socialtext.net/perl5/index.cgi?the_utf8_perlio_layer> <http://www.perlmonks.org/?node_id=644786>
AUTHOR
Thomas R. Wyant, III wyant at cpan dot org
COPYRIGHT
Copyright (c) 2010-2011 Thomas R. Wyant, III This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself. perl v5.18.1 Perl::Critic::Policy::InputOutput::RequireEncodingWithUTF8Layer(3pm)