develooper Front page | perl.perl5.porters | Postings from April 2016

[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC

Thread Next
Todd Rinaldo via RT
April 4, 2016 18:20
[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC
Message ID:

On Fri Apr 01 15:13:05 2016, tonyc wrote:
> Is this intended to be a security measure?
Yes. When not doing development (which aside from toolchain was the other major argument for it being there always), I am asserting that it is a safer thing for . to not be in @INC by default.

> I'm not sure how it can be if the user can set an environment variable
> to override it?  (and in this case they can set PERL5LIB anyway).
The goal here is not to deny . in INC. The goal is to provide a safer default so unexpected things happen less.

> An alternative might be a command-line option (like -T without the
> taint parts) to disable '.' in @INC.
Right but that would be the opposite of what I'm trying to achieve here. This whole thing could be argued as: "Just use taint"! The problem is that taint is easier said than done at a global level. It requires EVERY script be updated in order to take advantage of this. 

The point of this change is to make the default behavior of a perl script not dependent on the current working directory. If the individual running the script wants the '.' restored to @INC, they can use the environmental variable. If the script author wants this behavior, they can trivially add the '.' to @INC in their code.

via perlbug:  queue: perl5 status: open

Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About