[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Upcoming change to perl: current directory in @INC

Lars Wirzenius <liw@liw.fi> writes:
> On Thu, Sep 08, 2016 at 11:55:26AM +0100, Dimitri John Ledkov wrote:

>> Other languages do that too. E.g. python, Doesn't python have the same
>> concerns then too?

> Python doesn't put . in sys.path (the search path for imported
> modules). It puts the absolute path where the script was found as the
> first element. See https://docs.python.org/2/library/sys.html#sys.path
> for details.

That's a little better but not a lot better.  It means that it's still
unsafe to run any script out of a world-writeable directory such as /tmp,
even if the sticky bit is set.  I don't see any inherent reason why that
should have to be the case (other than, of course, that this Python
behavior is long-standing and lots of software depends on it, but that's
probably true of Perl as well -- I already had to fix one place where I
was relying on this behavior and hadn't realized I was).

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: