Bug#588017: perl: current directory in @INC potentially harmful
Dominic Hargreaves
dom at earth.li
Sun Jul 4 17:47:32 UTC 2010
On Sun, Jul 04, 2010 at 08:34:35PM +0300, Eugene V. Lyubimkin wrote:
> Ansgar Burchardt wrote:
> > perl includes the current directory as the last element in @INC when not
> > running in taint mode (-T). As many modules try to load other modules
> > that may or may not be installed, this can result in code execution.
> For first, I don't believe this is a bug at all. I even used it for debugging
> some code as a feature. It's not about using arbitrary code - it's about using
> a code from a directory, that user (or administrator) has a write access to
> and therefore directly or indirectly moved the code to that place.
>
> I set the severity of the bug to 'normal' for now I leave the final word for
> Niko Tyni and/or security team.
Whoa, this is quite hasty. The reason that this is a security bug is
because the current directory should not be trusted, because it might
be writable by a *different* non-root user who might wish to trick you
into running malicious code. For exactly the same reason, shells don't have
the current directory in their path.
I'm not going to start play severity games, but thie looks very much
like a security bug to me.
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the Perl-maintainers
mailing list