develooper Front page | perl.perl5.porters | Postings from March 2012

Re: pop @INC (".")

Thread Previous | Thread Next
From:
Niko Tyni
Date:
March 12, 2012 12:45
Subject:
Re: pop @INC (".")
Message ID:
20120312194455.GA4212@madeleine.local.invalid
On Sun, Mar 11, 2012 at 05:19:54PM +0100, Abigail wrote:
> On Fri, Mar 09, 2012 at 06:44:18PM +0200, Niko Tyni wrote:
> > On Fri, Mar 09, 2012 at 06:18:59AM -0700, Tom Christiansen wrote:

> > > What security issue?  Who's who, here?

> > It's dangerous to use some (many?) perl scripts and modules when cwd is
> > writable by another user or otherwise untrusted, and it's not necessarily
> > obvious which ones. In particular, scripts and modules that optionally
> > load other modules with things like 'eval { require Module }' will
> > silently search cwd too if Module isn't installed.

> But if you run such programs in an untrusted environment, shouldn't you
> (at least) run with -T? Or, simply, change cwd() to something "secure"
> before running? Or put a "no lib '.';" on top of the program? Or use 
> -M-lib=. on the command line? Or to add "-M-lib=." to PERL5LIB? Given that
> all these measures already exists right now, what's the added value of
> having yet another way?

While I'm nowadays (usually) careful enough to make sure cwd is trusted
before running /usr/bin/cpan or any other system command that I know
is written in Perl, I think it's a bit much to demand that casual users
do so.

FWIW, I agree that unconditionally removing cwd from the default @INC
is not realistic because of backward compatibility issues. I still think
this is a real problem and that the current measures you've listed are not
sufficient because they require users to take explicit action to be safe.

How about checking at runtime whether cwd is owned or writable by somebody
else and remove it in that case (possibly with a warning)? That would
solve most of the problem without breaking half the world AFAICS. (But
maybe I'm missing something obvious.)
-- 
Niko Tyni   ntyni@debian.org

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About