develooper Front page | perl.perl5.porters | Postings from March 2012

Re: pop @INC (".")

Thread Previous | Thread Next
From:
Niko Tyni
Date:
March 9, 2012 08:44
Subject:
Re: pop @INC (".")
Message ID:
20120309164418.GA2660@madeleine.local.invalid
On Fri, Mar 09, 2012 at 06:18:59AM -0700, Tom Christiansen wrote:
> 
> > Your argument here seems to center around development and testing. I 
> > agree with you on the flexibility of "." in those cases. It's in the 
> > production use of perl that I start to get hives when every one of my 
> > scripts has to defensively remove "." from @INC or risk unexpected 
> > behavior and/or a security issue.
> 
> What security issue?  Who's who, here?

We've been here before, see the thread at
 http://www.nntp.perl.org/group/perl.perl5.porters/2010/08/msg162729.html

It's dangerous to use some (many?) perl scripts and modules when cwd is
writable by another user or otherwise untrusted, and it's not necessarily
obvious which ones. In particular, scripts and modules that optionally
load other modules with things like 'eval { require Module }' will
silently search cwd too if Module isn't installed.

An example, from <http://bugs.debian.org/588017>: 
Text::CSV is installed, Text::CSV_XS is not installed.
When running "perl -mText::CSV" (or running any program using Text::CSV)
the file ./Text/CSV_XS.pm is loaded and the contained code executed.

Similar cases include JSON trying to load JSON::XS, and Term::ReadLine
looking for its plugins. And perlbug trying Mail::Send, and /usr/bin/cpan
using Log::Log4perl when available (via App::CPAN).
-- 
Niko Tyni   ntyni@debian.org

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About