develooper Front page | perl.perl5.porters | Postings from March 2012

Re: pop @INC (".")

Thread Previous | Thread Next
From:
Todd Rinaldo
Date:
March 8, 2012 12:20
Subject:
Re: pop @INC (".")
Message ID:
0374D18A-C3A3-4E46-8DB9-AA37E0B58C3A@cpanel.net

On Mar 8, 2012, at 2:10 PM, David Golden wrote:

> Even if those were "fixed", such a Perl would probably break many more
> modules on CPAN, which may or may not be an issue for your intended
> use of such a patch..
> 
> Put differently, imagine you were to patch Perl to always run in taint
> mode.  Would it be a bug if modules/programs broke?  Modules should be
> taint-safe, but many weren't ever designed to be.  Is the benefit
> worth the cost?
> 
> I see no problem insisting that modules in the Perl core not depend on
> having "." in @INC, but I do caution that it could have far-reaching
> surprises.

I asked this because I was actually considering submitting a patch for 5.18 to provide this as a Configure option.  While I'm not for taint being on always, I worry that it's generally a potential security issue that @INC paths are unpredictable if you can't control where the program will be run from. I realize this concern has holes in it.

There's about 4 test related files in core that would have to be patched to get tests working. But I would be very concerned with breaking CPAN over it. 

Does anyone besides me share my concern that putting "." in the path isn't always necessarily desirable?

Thanks,
Todd
Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About