Boost logo

Boost :

Subject: [boost] [filesystem] New operational function added: canonical()
From: Beman Dawes (bdawes_at_[hidden])
Date: 2011-10-06 08:56:24

A canonical() function has been added at the suggest of David Svoboda from CERT.

Boost.Filesystem's class path had such a function at one time, but it
was deprecated because it didn't handle symlinks correctly. The new
canonical() free function walks the path resolving symlinks, so now
works correctly even when symlinks are present.

For the curious, David's rationale for the function follows.


Canonicalized pathnames are an important security measure when you
want to do validity checking on your path (eg does this path live in
/home/goodguy or /home/badguy?). There are several implementations of
canonicalization functions, ranging from POSIX's realpath() function,
to the GNU library's canonicalize_file_name(). For
platform-independent implementations, Java provides the
File.getCanonicalFile() method.

CERT advocates the use of canonicalized filenames in its Secure Coding
rules for both C
       FIO02-C. Canonicalize path names originating from untrusted sources
and Java
       IDS02-J. Canonicalize path names before validating them

Boost list run by bdawes at, gregod at, cpdaniel at, john at