develooper Front page | perl.perl5.porters | Postings from March 2012

Re: pop @INC (".")

Thread Previous | Thread Next
From:
Steffen Schwigon
Date:
March 12, 2012 06:09
Subject:
Re: pop @INC (".")
Message ID:
87haxu9dax.fsf@renormalist.net
Abigail <abigail@abigail.be> writes:
> On Fri, Mar 09, 2012 at 06:44:18PM +0200, Niko Tyni wrote:
>> On Fri, Mar 09, 2012 at 06:18:59AM -0700, Tom Christiansen wrote:
>> > 
>> > > Your argument here seems to center around development and testing. I 
>> > > agree with you on the flexibility of "." in those cases. It's in the 
>> > > production use of perl that I start to get hives when every one of my 
>> > > scripts has to defensively remove "." from @INC or risk unexpected 
>> > > behavior and/or a security issue.
>> > 
>> > What security issue?  Who's who, here?
>> 
>> We've been here before, see the thread at
>>  http://www.nntp.perl.org/group/perl.perl5.porters/2010/08/msg162729.html
>> 
>> It's dangerous to use some (many?) perl scripts and modules when cwd
>> is writable by another user or otherwise untrusted, and it's not
>> necessarily obvious which ones. [...]
>
> But if you run such programs in an untrusted environment, shouldn't
> you (at least) run with -T?

I don't think so. Creating taintmode-clean programs is a different
league.

The "." in @INC is more comparable to early 1990s' Unix advices to not
have "." in $PATH.

That's orthogonal to also ensure your actual programs' security.

Kind regards,
Steffen 
-- 
Steffen Schwigon <ss5@renormalist.net>
Dresden Perl Mongers <http://dresden-pm.org/>

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About