PHP insecure path? (Was: Upcoming change to perl: current directory in @INC)

To: Dimitri John Ledkov <xnox@debian.org>
Cc: Dominic Hargreaves <dom@earth.li>, "debian-devel@lists.debian.org" <debian-devel@lists.debian.org>
Subject: PHP insecure path? (Was: Upcoming change to perl: current directory in @INC)
From: Mathieu Parent <math.parent@gmail.com>
Date: Thu, 8 Sep 2016 16:35:28 +0200
Message-id: <[🔎] CAFX5sbw2R=ypN+mwrO4vHhR4Mfh5ra_q61QtQhF=UWpbTkoTrA@mail.gmail.com>

2016-09-08 12:55 GMT+02:00 Dimitri John Ledkov <xnox@debian.org>:
> Hello,
>
> On 29 August 2016 at 14:39, Dominic Hargreaves <dom@earth.li> wrote:
>> tl;dr: '.' is being removed from perl's @INC by default; some breakage
>> in apps expected.
>>
>> For some years[1], it's been known that perl's habit of including '.'
>> in its module load path, (@INC) is potentially dangerous, since it
>> can allow untrusted code to be run under certain circumstances. However,
>> for most of that time it wasn't taken that seriously, particularly as the
>> fix is quite disruptive.
>
> Other languages do that too. E.g. python, Doesn't python have the same
> concerns then too?

php does:
$ php -i | grep include_path
include_path => .:/usr/share/php => .:/usr/share/php

What should we do then?

Regards
-- 
Mathieu Parent

Reply to:

Prev by Date: Re: Thinking about a "jessie and a half" release
Next by Date: Standards-Version field should be deprecated
Previous by thread: Bug#837068: ITP: glshim -- Shim that translates OpenGL 1.x into OpenGL ES.
Next by thread: Bug#837089: ITP: prometheus-varnish-exporter -- Varnish exporter for Prometheus
Index(es):
- Date
- Thread