develooper Front page | perl.perl5.porters | Postings from March 2012

Re: pop @INC (".")

Thread Previous | Thread Next
Kent Fredric
March 9, 2012 05:10
Re: pop @INC (".")
Message ID:
On 10 March 2012 01:25, Paul Johnson <> wrote:

> Yes, it's analogous to having "." in $PATH, and perhaps it's obvious to
> others, but I'd quite like to see some code showing why having "." in
> @INC is undesirable / unwise / dangerous / a security problem.
> Has the presence of "." in @INC caused problems, or is this a
> theoretical concern?

I think a more useful thing to do, might be instead of completely
removing q{.} from @INC, would be replacing q{.} with a hook of sorts
that triggers when a file would otherwise be loaded from q{.} so you
can decide what to do with it.

Perhaps you might want to fork and drop privs before continuing, or
something like that. ( Though really, if you have code running as uid
0 you should probably drop privs everywhere you no longer really need
them anyway )

Though a more practical and non-invasive thing to do in the hook might
be sending an event to syslog / messaging STDERR about it to make you
aware its happening.

At present, I'd suggest that instead of it being a config option which
people can blindly set, it should be a patch in some directory (
perhaps something like q{patches/unsupported/} )  with a big sod-off
README file and each patch being intentionally slightly damaged not to
apply cleanly until edited to remove the part that causes it not to

At least that way, you can't shoot yourself in the foot without first
knowing thats what you're doing *and* taking the responsibility for
all the consequences of that.


perl -e  "print substr( \"edrgmaM  SPA NOcomil.ic\\@tfrken\", \$_ * 3,
3 ) for ( 9,8,0,7,1,6,5,4,3,2 );"

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About