Re: Upcoming change to perl: current directory in @INC
On Thu, Sep 08, 2016 at 02:04:21PM +0300, Lars Wirzenius wrote:
> On Thu, Sep 08, 2016 at 11:55:26AM +0100, Dimitri John Ledkov wrote:
> > On 29 August 2016 at 14:39, Dominic Hargreaves <dom@earth.li> wrote:
> > > tl;dr: '.' is being removed from perl's @INC by default; some breakage
> > > in apps expected.
> > >
> > > For some years[1], it's been known that perl's habit of including '.'
> > > in its module load path, (@INC) is potentially dangerous, since it
> > > can allow untrusted code to be run under certain circumstances. However,
> > > for most of that time it wasn't taken that seriously, particularly as the
> > > fix is quite disruptive.
> >
> > Other languages do that too. E.g. python, Doesn't python have the same
> > concerns then too?
>
> Python doesn't put . in sys.path (the search path for imported
> modules). It puts the absolute path where the script was found as the
> first element.
Although, there were similar problem when embedding Python in other
programs. See CVE-2008-5983[0] for the Python side of the issue. There
were also various CVE's at the time for the programs that were doing the
embedding (like Vim[1], X-Chat[2], etc.).
[0]: https://security-tracker.debian.org/CVE-2008-5983
[1]: https://security-tracker.debian.org/CVE-2009-3916
[2]: https://security-tracker.debian.org/CVE-2009-3915
Cheers,
--
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
Reply to: