10 lines
412 B
Plaintext
10 lines
412 B
Plaintext
==== Do not use {joining_func} as a validator
|
|
|
|
As specified in the {joining_docs}[official documentation], if the given
|
|
parameter is an absolute path, the base object from which the method is called
|
|
is discarded and is not included in the resulting string.
|
|
|
|
This means that including untrusted data in the parameter and using the
|
|
resulting string for file operations may lead to a path traversal vulnerability.
|
|
|