On Tue, Aug 10, 2021 at 1:25 AM ASSI <Stromeko@nexgo.de> wrote: > Dan Book writes: > > It's quite different to account for the default behavior of Perl up > > until 5.26, than to account for anyone's modification of @INC which > > may have a good reason (and if you want to protect against that, you > > must remove any relative path from @INC, not just '.'). > > The attack vector doesn't depend on the path being relative. > What do you mean by this? This is the entire reason that the current working directory in @INC is a vulnerability. Other relative paths are also treated as relative to the current working directory. -DanThread Previous | Thread Next