Front page | perl.perl5.porters |
Postings from April 2016
On Fri Apr 01 15:13:05 2016, tonyc wrote: > Is this intended to be a security measure? Yes. When not doing development (which aside from toolchain was the other major argument for it being there always), I am asserting that it is a safer thing for . to not be in @INC by default. > I'm not sure how it can be if the user can set an environment variable > to override it? (and in this case they can set PERL5LIB anyway). The goal here is not to deny . in INC. The goal is to provide a safer default so unexpected things happen less. > An alternative might be a command-line option (like -T without the > taint parts) to disable '.' in @INC. Right but that would be the opposite of what I'm trying to achieve here. This whole thing could be argued as: "Just use taint"! The problem is that taint is easier said than done at a global level. It requires EVERY script be updated in order to take advantage of this. The point of this change is to make the default behavior of a perl script not dependent on the current working directory. If the individual running the script wants the '.' restored to @INC, they can use the environmental variable. If the script author wants this behavior, they can trivially add the '.' to @INC in their code. --- via perlbug: queue: perl5 status: open https://rt.perl.org/Ticket/Display.html?id=127810Thread Next