develooper Front page | perl.perl5.porters | Postings from August 2016

Re: Alternative Fix for dot-in-INC mechanic.

Thread Previous | Thread Next
Todd Rinaldo
August 24, 2016 10:59
Re: Alternative Fix for dot-in-INC mechanic.
Message ID:

> On Aug 23, 2016, at 6:50 PM, Aristotle Pagaltzis <> wrote:
> * Kent Fredric <> [2016-08-14 23:36]:
>> Presently, localising is done regardless of the presence of a ".",
>> making any @INC modification in impossible, even if the user
>> had already removed '.' themselves.
> Which is, frankly, disastrous, and haarg pointing it out made me cringe
> that I completely missed that implication myself. I am dismayed at the
> fact that this nearly went unnoticed.

I've replied elsewhere but I'm going to reply here too. The recommendation stated when the security disclosure was made was that it was:

"While the Perl Security group has attempted to mitigate some of these
problems by modifying Perl Modules, it is ultimately the responsibility
of the application writer to remove relative paths from @INC to assure
the security / consistent behavior of their code regardless of what
directory it executes from."

The changes being made to seem to have proven to have a high risk of being an API change. This kinda makes it inappropriate for a maintenance release. Assuming we have an alternative plan for 5.24 and forward, I recommend we simply hi-light the risk of using base and NOT fix it. 

IMO, There's nothing wrong with saying "there's a risk here" and leaving it to other's to assess and mitigate the risk in their own way on legacy Perl.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About