The intent was to reinforce that incoming information (in this case a file handle with no other attached information) should be sanitized within your module.
While the source could well be benign, it is not that hard to use secure practices from the start.
Given that my background is information and systems security, I tend to preach security best practices (in conjunction with PBP ;-), of course).
Sorry, but that is total bulls...! You're not preaching security, you're preaching pointless paranoia. And quoting "PBP" does not change that.
There is nothing you can do within a third-party module to validate a filename given to you by the caller, that the caller cannot do for himself. What are you going to do, take a look at the filename a reject it because you don't like the way it spelt? Or reject it because it's all uppercase? Say "No, I'm not going to allow you to open that file"?
There is no way a module can hope to internally perform the correct checks for every possible caller, so the only sensible option is to leave the caller to perform all the checks they require, and do none inside the module, because they would either be wrong, or redundant.
The only thing a module should do with a filename is try and open it, and report an error if the attempt fails. And once you realise that, then having the module accept a filehandle rather than a filename is just common sense.
In reply to Re^4: Passing a Filehandle that Might be a Bareword
by BrowserUk
in thread Passing a Filehandle that Might be a Bareword
by Xiong
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |