develooper Front page | perl.perl5.porters | Postings from August 2021

Re: CVE-2021-36770: loads code from outside expected @INC

Thread Previous | Thread Next
Dan Book
August 10, 2021 06:40
Re: CVE-2021-36770: loads code from outside expected @INC
Message ID:
On Tue, Aug 10, 2021 at 1:25 AM ASSI <> wrote:

> Dan Book writes:
> > It's quite different to account for the default behavior of Perl up
> > until 5.26, than to account for anyone's modification of @INC which
> > may have a good reason (and if you want to protect against that, you
> > must remove any relative path from @INC, not just '.').
> The attack vector doesn't depend on the path being relative.

What do you mean by this? This is the entire reason that the current
working directory in @INC is a vulnerability. Other relative paths are also
treated as relative to the current working directory.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About