Bug#588017: perl: current directory in @INC potentially harmful
Niko Tyni
ntyni at debian.org
Wed Aug 4 12:02:52 UTC 2010
On Mon, Jul 12, 2010 at 07:47:34PM +0100, Chris Butler wrote:
> It looks like this is a concious decision by upstream, it's even documented
> in perlvar(1):
>
> The array @INC contains the list of places that the "do EXPR",
> "require", or "use" constructs look for their library files. It
> initially consists of the arguments to any -I command-line switches,
> followed by the default Perl library, probably /usr/local/lib/perl,
> followed by ".", to represent the current directory. ("." will not be
> appended if taint checks are enabled, either by "-T" or by "-t".)
Yes. It's worked this way at least 15 years.
While I agree it's potentially harmful, I think fixing it has a very
high risk of breaking user scripts. It's definitely not something to do
in a stable security update, and I'm not enthusiastic about diverging
from upstream at all here.
Ansgar, could you please discuss this upstream on the perl5-porters list?
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list