NAME

Perl::Critic::Policy::InputOutput::RequireEncodingWithUTF8Layer - Write open $fh, q{<:encoding(UTF-8)}, $filename; instead of open $fh, q{<:utf8}, $filename;.

AFFILIATION

This Policy is part of the core Perl::Critic distribution.

DESCRIPTION

Use of the :utf8 I/O layer (as opposed to :encoding(UTF8) or :encoding(UTF-8)) was suggested in the Perl documentation up to version 5.8.8. This may be OK for output, but on input :utf8 does not validate the input, leading to unexpected results.

An exploit based on this behavior of :utf8 is exhibited on PerlMonks at http://www.perlmonks.org/?node_id=644786. The exploit involves a string read from an external file and sanitized with m/^(\w+)$/, where $1 nonetheless ends up containing shell meta-characters.

To summarize:

open $fh, '<:utf8', 'foo.txt';             # BAD
open $fh, '<:encoding(UTF8)', 'foo.txt';   # GOOD
open $fh, '<:encoding(UTF-8)', 'foo.txt';  # BETTER

See the Encode documentation for the difference between UTF8 and UTF-8. The short version is that UTF-8 implements the Unicode standard, and UTF8 is liberalized.

For consistency's sake, this policy checks files opened for output as well as input. For complete coverage it also checks binmode() calls, where the direction of operation can not be determined.

CONFIGURATION

This Policy is not configurable except for the standard options.

NOTES

Because Perl::Critic does a static analysis, this policy can not detect cases like

my $encoding = ':utf8';
binmode $fh, $encoding;

where the encoding is computed.

SEE ALSO

PerlIO

Encode

perldoc -f binmode

http://www.socialtext.net/perl5/index.cgi?the_utf8_perlio_layer

http://www.perlmonks.org/?node_id=644786

AUTHOR

Thomas R. Wyant, III wyant at cpan dot org

COPYRIGHT

Copyright (c) 2010-2011 Thomas R. Wyant, III

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.