On Thu, Sep 08, 2016 at 11:55:26AM +0100, Dimitri John Ledkov wrote:
> On 29 August 2016 at 14:39, Dominic Hargreaves <dom@earth.li> wrote:
> > tl;dr: '.' is being removed from perl's @INC by default; some breakage
> > in apps expected.
> >
> > For some years[1], it's been known that perl's habit of including '.'
> > in its module load path, (@INC) is potentially dangerous, since it
> > can allow untrusted code to be run under certain circumstances. However,
> > for most of that time it wasn't taken that seriously, particularly as the
> > fix is quite disruptive.
>
> Other languages do that too. E.g. python, Doesn't python have the same
> concerns then too?
Python doesn't put . in sys.path (the search path for imported
modules). It puts the absolute path where the script was found as the
first element. See https://docs.python.org/2/library/sys.html#sys.path
for details. That page documents the cases where the empty string
(effectively the same as .) are inserted into the beginning of
sys.path, but they're not relevant for installed software: one is for
when you run python and import on the REPL command line, the other is
when you provide the script on the command line ("python -c 'foo
bar'").
--
I want to build worthwhile things that might last. --joeyh
Attachment:
signature.asc
Description: PGP signature