develooper Front page | perl.perl5.porters | Postings from April 2016

[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC

Thread Previous | Thread Next
Tony Cook via RT
April 1, 2016 22:13
[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC
Message ID:
On Thu Mar 31 17:01:11 2016, TODDR wrote:
> Several discussions have been had over the years about removing . from
> @INC.
> In 2010, Ansgar brought it up:
> In 2012, I brought it up:
> My summary of the responses to these email chains would be:
> 1. A certain percentage of people do not agree that . in @INC is a
> security issue. Others feel it's "a basic sanity provision"
> 2. There is a general agreement that the Perl toolchain highly depends
> on this behavior so the toolchain would have to be fixed.
> 3. Some predicted disastrous consequences.
> 4. Many feel the problem is unfixable because of how long Perl has
> been this way.
> I didn't quite make the Perl 5.18 deadline like I promised in the
> email, but I now have a proposal complete with patches.
> What I propose is a small patch to perl.c which causes . to be missing
> from @INC unless the environment variable PERL_USE_UNSAFE_INC=1 is
> present. This would only happen based on a Configure question which
> would default to being off so that the default Perl install does not
> change.
> Cpanel currently ships and updates Perl 5.22 along with roughly 900
> perl modules. In the coming version of our product, we will be
> shipping a Perl that does not have . in @INC. These modules are all
> built as RPMs and I consider the RPMs a failed build if their unit
> tests cannot pass. There were about 3 of these 900 modules I had to do
> something weird with (because they were stripping %ENV or just being
> weird themselves). I did this by Simply adding PERL_USE_UNSAFE_INC=1
> in the appropriate places to EU::MM, M::B, M::B::Tiny.
> I am attaching the patches which will provide this option. I have
> updated no documentation yet. I can provide that if I can get some
> agreement for this to merge for 5.25.0 (I assume I've missed the 5.24
> deadline for something like this?)

Is this intended to be a security measure?

I'm not sure how it can be if the user can set an environment variable to override it?  (and in this case they can set PERL5LIB anyway).

An alternative might be a command-line option (like -T without the taint parts) to disable '.' in @INC.


via perlbug:  queue: perl5 status: open

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About