develooper Front page | perl.perl5.porters | Postings from March 2012

Re: pop @INC (".")

Thread Previous | Thread Next
March 11, 2012 09:19
Re: pop @INC (".")
Message ID:
On Fri, Mar 09, 2012 at 06:44:18PM +0200, Niko Tyni wrote:
> On Fri, Mar 09, 2012 at 06:18:59AM -0700, Tom Christiansen wrote:
> > 
> > > Your argument here seems to center around development and testing. I 
> > > agree with you on the flexibility of "." in those cases. It's in the 
> > > production use of perl that I start to get hives when every one of my 
> > > scripts has to defensively remove "." from @INC or risk unexpected 
> > > behavior and/or a security issue.
> > 
> > What security issue?  Who's who, here?
> We've been here before, see the thread at
> It's dangerous to use some (many?) perl scripts and modules when cwd is
> writable by another user or otherwise untrusted, and it's not necessarily
> obvious which ones. In particular, scripts and modules that optionally
> load other modules with things like 'eval { require Module }' will
> silently search cwd too if Module isn't installed.
> An example, from <>: 
> Text::CSV is installed, Text::CSV_XS is not installed.
> When running "perl -mText::CSV" (or running any program using Text::CSV)
> the file ./Text/ is loaded and the contained code executed.
> Similar cases include JSON trying to load JSON::XS, and Term::ReadLine
> looking for its plugins. And perlbug trying Mail::Send, and /usr/bin/cpan
> using Log::Log4perl when available (via App::CPAN).

But if you run such programs in an untrusted environment, shouldn't you
(at least) run with -T? Or, simply, change cwd() to something "secure"
before running? Or put a "no lib '.';" on top of the program? Or use 
-M-lib=. on the command line? Or to add "-M-lib=." to PERL5LIB? Given that
all these measures already exists right now, what's the added value of
having yet another way?


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About