develooper Front page | perl.perl5.porters | Postings from March 2012

Re: pop @INC (".")

Thread Previous | Thread Next
From:
Kent Fredric
Date:
March 9, 2012 05:10
Subject:
Re: pop @INC (".")
Message ID:
CAATnKFC0TRaQiVt4vooooQQiKto7QrL2ciq-zt-bM5Nn4zbYZA@mail.gmail.com
On 10 March 2012 01:25, Paul Johnson <paul@pjcj.net> wrote:

> Yes, it's analogous to having "." in $PATH, and perhaps it's obvious to
> others, but I'd quite like to see some code showing why having "." in
> @INC is undesirable / unwise / dangerous / a security problem.
>
> Has the presence of "." in @INC caused problems, or is this a
> theoretical concern?

I think a more useful thing to do, might be instead of completely
removing q{.} from @INC, would be replacing q{.} with a hook of sorts
that triggers when a file would otherwise be loaded from q{.} so you
can decide what to do with it.

Perhaps you might want to fork and drop privs before continuing, or
something like that. ( Though really, if you have code running as uid
0 you should probably drop privs everywhere you no longer really need
them anyway )

Though a more practical and non-invasive thing to do in the hook might
be sending an event to syslog / messaging STDERR about it to make you
aware its happening.

At present, I'd suggest that instead of it being a config option which
people can blindly set, it should be a patch in some directory (
perhaps something like q{patches/unsupported/} )  with a big sod-off
README file and each patch being intentionally slightly damaged not to
apply cleanly until edited to remove the part that causes it not to
apply.

At least that way, you can't shoot yourself in the foot without first
knowing thats what you're doing *and* taking the responsibility for
all the consequences of that.


-- 
Kent

perl -e  "print substr( \"edrgmaM  SPA NOcomil.ic\\@tfrken\", \$_ * 3,
3 ) for ( 9,8,0,7,1,6,5,4,3,2 );"

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About