Bug#588017: perl: current directory in @INC potentially harmful
Chris Butler
chrisb at debian.org
Mon Jul 12 18:47:34 UTC 2010
tag 588017 +upstream
thanks
On Sun, Jul 04, 2010 at 06:47:32PM +0100, Dominic Hargreaves wrote:
> I'm not going to start play severity games, but thie looks very much
> like a security bug to me.
It looks like this is a concious decision by upstream, it's even documented
in perlvar(1):
The array @INC contains the list of places that the "do EXPR",
"require", or "use" constructs look for their library files. It
initially consists of the arguments to any -I command-line switches,
followed by the default Perl library, probably /usr/local/lib/perl,
followed by ".", to represent the current directory. ("." will not be
appended if taint checks are enabled, either by "-T" or by "-t".)
--
Chris Butler <chrisb at debian.org>
GnuPG Key ID: 4096R/49E3ACD3
More information about the Perl-maintainers
mailing list