Front page | perl.perl5.porters |
Postings from August 2016
> On Aug 23, 2016, at 6:50 PM, Aristotle Pagaltzis <pagaltzis@gmx.de> wrote: > > * Kent Fredric <kentfredric@gmail.com> [2016-08-14 23:36]: >> Presently, localising is done regardless of the presence of a ".", >> making any @INC modification in base.pm impossible, even if the user >> had already removed '.' themselves. > > Which is, frankly, disastrous, and haarg pointing it out made me cringe > that I completely missed that implication myself. I am dismayed at the > fact that this nearly went unnoticed. > I've replied elsewhere but I'm going to reply here too. The recommendation stated when the security disclosure was made was that it was: "While the Perl Security group has attempted to mitigate some of these problems by modifying Perl Modules, it is ultimately the responsibility of the application writer to remove relative paths from @INC to assure the security / consistent behavior of their code regardless of what directory it executes from." The changes being made to base.pm seem to have proven to have a high risk of being an API change. This kinda makes it inappropriate for a maintenance release. Assuming we have an alternative plan for 5.24 and forward, I recommend we simply hi-light the risk of using base and NOT fix it. IMO, There's nothing wrong with saying "there's a risk here" and leaving it to other's to assess and mitigate the risk in their own way on legacy Perl. ToddThread Previous | Thread Next