Re: pop @INC (".")

From: Niko Tyni <nty...@debian.org>

Fri, 9 Mar 2012 18:44:18 +0200

On Fri, Mar 09, 2012 at 06:18:59AM -0700, Tom Christiansen wrote:
> > > Your argument here seems to center around development and testing. I > > agree with you on the flexibility of "." in those cases. It's in the > > production use of perl that I start to get hives when every one of my > > scripts has to defensively remove "." from @INC or risk unexpected > > behavior and/or a security issue.> > What security issue?  Who's who, here?

We've been here before, see the thread at
 http://www.nntp.perl.org/group/perl.perl5.porters/2010/08/msg162729.html

It's dangerous to use some (many?) perl scripts and modules when cwd is
writable by another user or otherwise untrusted, and it's not necessarily
obvious which ones. In particular, scripts and modules that optionally
load other modules with things like 'eval { require Module }' will
silently search cwd too if Module isn't installed.

An example, from <http://bugs.debian.org/588017>: 
Text::CSV is installed, Text::CSV_XS is not installed.
When running "perl -mText::CSV" (or running any program using Text::CSV)
the file ./Text/CSV_XS.pm is loaded and the contained code executed.

Similar cases include JSON trying to load JSON::XS, and Term::ReadLine
looking for its plugins. And perlbug trying Mail::Send, and /usr/bin/cpan
using Log::Log4perl when available (via App::CPAN).
-- 
Niko Tyni   nty...@debian.org

Recent Messages in this Thread
pop @INC (".")	Todd Rinaldo	Mar 08, 2012 07:38 pm
Re: pop @INC (".")	David Golden	Mar 08, 2012 08:10 pm
Re: pop @INC (".")	Todd Rinaldo	Mar 08, 2012 08:20 pm
Re: pop @INC (".")	David Golden	Mar 08, 2012 08:45 pm
RE: pop @INC (".")	Jan Dubois	Mar 08, 2012 08:58 pm
Re: pop @INC (".")	Todd Rinaldo	Mar 08, 2012 10:37 pm
Re: pop @INC (".")	Reini Urban	Mar 08, 2012 11:06 pm
Re: pop @INC (".")	H.Merijn Brand	Mar 09, 2012 06:56 am
Re: pop @INC (".")	Todd Rinaldo	Mar 09, 2012 07:16 am
Re: pop @INC (".")	Tom Christiansen	Mar 09, 2012 01:18 pm
Re: pop @INC (".")	Niko Tyni	Mar 09, 2012 04:44 pm
Re: pop @INC (".")	Jesse Luehrs	Mar 08, 2012 11:16 pm
Re: pop @INC (".")	Steffen Schwigon	Mar 12, 2012 01:15 pm
Re: pop @INC (".")	Offer Kaye	Mar 08, 2012 08:10 pm
Re: pop @INC (".")	Abigail	Mar 08, 2012 10:57 pm
Re: pop @INC (".")	David Golden	Mar 08, 2012 10:58 pm
Re: pop @INC (".")	Todd Rinaldo	Mar 08, 2012 11:08 pm
Re: pop @INC (".")	H.Merijn Brand	Mar 09, 2012 06:47 am
Re: pop @INC (".")	Todd Rinaldo	Mar 09, 2012 06:58 am
RE: pop @INC (".")	Jan Dubois	Mar 09, 2012 07:24 am
Re: pop @INC (".")	Tom Christiansen	Mar 09, 2012 12:24 am
RE: pop @INC (".")	Jan Dubois	Mar 09, 2012 12:54 am
Re: pop @INC (".")	Tom Christiansen	Mar 09, 2012 02:02 am
Re: pop @INC (".")	Todd Rinaldo	Mar 09, 2012 06:59 am
Re: pop @INC (".")	demerphq	Mar 09, 2012 07:27 am
Re: pop @INC (".")	Aristotle Pagaltzis	Mar 09, 2012 09:33 am
Re: pop @INC (".")	Todd Rinaldo	Mar 09, 2012 11:35 am
Re: pop @INC (".")	David Golden	Mar 09, 2012 11:57 am
Re: pop @INC (".")	Paul Johnson	Mar 09, 2012 12:25 pm
Re: pop @INC (".")	Kent Fredric	Mar 09, 2012 01:09 pm
Re: pop @INC (".")	Paul Johnson	Mar 09, 2012 02:26 pm
RE: pop @INC (".")	Konovalov, Vadim (Vadim) CTR	Mar 11, 2012 06:04 am

◄ Messages in this thread ►

Previous post: Re: [perl #111586] [PATCH] sdbm.c: fix off-by-one access to global ".dir"

Next post: Smoke [blead] v5.15.8-91-gacdbe25 FAIL(F) MSWin32 Win2000 SP4 (x86/1 cpu)

Subscribe to the perl5-porters RSS feed

Accounts

List Archives

Feedback & Information

ActiveState

© 2019 ActiveState Software Inc. All rights reserved. ActiveState®, Komodo®, ActiveState Perl Dev Kit®, ActiveState Tcl Dev Kit®, ActivePerl®, ActivePython®, and ActiveTcl® are registered trademarks of ActiveState. All other marks are property of their respective owners.