develooper Front page | perl.perl5.porters | Postings from April 2016

[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC

Thread Previous | Thread Next
Todd Rinaldo
April 1, 2016 00:01
[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC
Message ID:
# New Ticket Created by  "Todd Rinaldo" 
# Please include the string:  [perl #127810]
# in the subject line of all future correspondence about this issue. 
# <URL: >

This is a bug report for perl from,
generated with the help of perlbug 1.40 running under perl 5.22.1.

[Please describe your issue here]

Several discussions have been had over the years about removing . from @INC.

In 2010, Ansgar brought it up:
In 2012, I brought it up:

My summary of the responses to these email chains would be:

1. A certain percentage of people do not agree that . in @INC is a
security issue. Others feel it's "a basic sanity provision"
2. There is a general agreement that the Perl toolchain highly depends
on this behavior so the toolchain would have to be fixed.
3. Some predicted disastrous consequences.
4. Many feel the problem is unfixable because of how long Perl has
been this way.

I didn't quite make the Perl 5.18 deadline like I promised in the
email, but I now have a proposal complete with patches.

What I propose is a small patch to perl.c which causes . to be missing
from @INC unless the environment variable PERL_USE_UNSAFE_INC=1 is
present. This would only happen based on a Configure question which
would default to being off so that the default Perl install does not

Cpanel currently ships and updates Perl 5.22 along with roughly 900
perl modules. In the coming version of our product, we will be
shipping a Perl that does not have . in @INC. These modules are all
built as RPMs and I consider the RPMs a failed build if their unit
tests cannot pass. There were about 3 of these 900 modules I had to do
something weird with (because they were stripping %ENV or just being
weird themselves). I did this by Simply adding PERL_USE_UNSAFE_INC=1
in the appropriate places to EU::MM, M::B, M::B::Tiny.

I am attaching the patches which will provide this option. I have
updated no documentation yet. I can provide that if I can get some
agreement for this to merge for 5.25.0 (I assume I've missed the 5.24
deadline for something like this?)

You can also find the commits here on github if you prefer to see them

Once this merges, it will provide an opportunity for me to begin
providing patches to authors so that PERL_USE_UNSAFE_INC is for the
most part unneeded.

[Please do not change anything below this line]
Site configuration information for perl 5.22.1:

Configured by cPanel at Wed Mar  2 15:47:40 CST 2016.

Summary of my perl5 (revision 5 version 22 subversion 1) configuration:

    osname=linux, osvers=2.6.32-431.29.2.el6.i686, archname=i386-linux-64int
2.6.32-431.29.2.el6.i686 #1 smp tue sep 9 20:14:52 utc 2014 i686 i686
i386 gnulinux '
    config_args='-des -Dusedevel -Darchname=i386-linux-64int
-Dcc=/usr/bin/gcc -Dcpp=/usr/bin/cpp -DDEBUGGING=none -Doptimize=-Os
-Dusemymalloc=n -Duseshrplib -Duselargefiles=yes -Duseposix=true
-Dhint=recommended -Duseperlio=yes -Dccflags=-DPERL_DISABLE_PMC
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-Dldflags=-Wl,-rpath -Wl,/usr/local/cpanel/3rdparty/perl/522/lib
-Dsiteprefix=/opt/cpanel/perl5/522 -Dsitebin=/opt/cpanel/perl5/522/bin
-Dsitelib=/opt/cpanel/perl5/522/site_lib -Dusevendorprefix=true
-Dman1dir=none -Dman3dir=none
-Dsiteman1dir=none -Dsiteman3dir=none -Dinstallman1dir=none
-Dversiononly=no -Dinstallusrbinperl=no -Dcf_by=cPanel
-Dmyhostname=localhost -Dperladmin=root@localhost
-Di_ndbm=/usr/local/cpanel/3rdparty/include -DDB_File=true -Ud_dosuid
-Uuserelocatableinc -Umad -Uusethreads -Uusemultiplicity -Uusesocks
-Uuselongdouble -Aldflags=-L/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/lib -L/usr/lib -L/lib -lgdbm
/usr/local/cpanel/3rdparty/include /usr/local/include  -Duse64bitint
-Uuse64bitall -Acflags=-fPIC -DPIC -m32
/usr/local/cpanel/3rdparty/lib /usr/local/lib /lib /usr/lib '
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=define, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
    cc='/usr/bin/gcc', ccflags ='-DPERL_DISABLE_PMC
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-fwrapv -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-DPERL_DISABLE_PMC -I/usr/local/cpanel/3rdparty/perl/522/include
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-fwrapv -fno-strict-aliasing -pipe -fstack-protector
    ccversion='', gccversion='4.4.7 20120313 (Red Hat 4.4.7-4)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8,
byteorder=12345678, doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define,
longdblsize=12, longdblkind=3
    ivtype='long long', ivsize=8, nvtype='double', nvsize=8,
Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='/usr/bin/gcc', ldflags ='-Wl,-rpath
-L/usr/local/cpanel/3rdparty/lib -L/usr/lib -L/lib -lgdbm
-fstack-protector -L/usr/local/lib'
/usr/local/cpanel/3rdparty/lib /usr/local/lib /lib /usr/lib
/usr/local/lib /usr/lib
    libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc, so=so, useshrplib=true,
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E
    cccdlflags='-fPIC', lddlflags='-shared -Os
-L/usr/local/cpanel/3rdparty/lib -L/usr/lib -L/lib -L/usr/local/lib

Locally applied patches:
    cPanel patches
    cPanel INC path changes
    Remove . from @INC

@INC for perl 5.22.1:

Environment for perl 5.22.1:
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PERL_BADLANG (unset)

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About