Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re^4: 'do' command is dead? Surely not?

by davido (Archbishop)
on May 19, 2017 at 14:38 UTC ( #1190628=note: print w/replies, xml ) Need Help??


in reply to Re^3: 'do' command is dead? Surely not?
in thread 'do' command is dead? Surely not?

Recent versions of Perl (v5.24.1+) removed '.' from @INC, so this is probably right on the mark. If the OP is using a recent enough Perl version it will not look in the dot path unless something like this happens:

use lib '.';

Though that is subject to the challenges that the dot path has always faced. It would be better to do something like this:

use FindBin; use lib "$FindBin::Bin/../lib"; # Or whatever is accurate for this scr +ipt's needs.

This eliminates sensitivity to where the script was invoked from.

See also: FindBin, lib, and perl5241delta.


Dave

Replies are listed 'Best First'.
Re^5: 'do' command is dead? Surely not?
by haukex (Monsignor) on May 19, 2017 at 16:27 UTC

      At the start of your first-linked P5P thread, haukex:

      Which means simply saying "welp, . isn't in @INC anymore" is going to leave a vast number of broken scripts, most of them likely the ones whose users are least knowledgable about perl (do 'config.pl' is very common baby perl, I think).

      Fair comment!

      I'm likely to solve it by automating a massive search-and-replace, inserting a './' before all filenames. (Might just back up first!). I think I know enough to know that the removal of '.' from @INC is best not over-ridden!

      Many thanks to everyone who contributed to this. You are a wise and, yes, very attractive bunch of people!

Re^5: 'do' command is dead? Surely not?
by syphilis (Chancellor) on May 20, 2017 at 09:49 UTC
    Recent versions of Perl (v5.24.1+) removed '.' from @INC

    I knew this is coming for 5.26.0+ ... but backporting it before 5.26.0 is released seems rather extraordinary to me.

    For the OP's case, I think
    do './test-response.pl';
    is sufficient.

    Cheers,
    Rob
Re^5: 'do' command is dead? Surely not?
by ACI (Acolyte) on May 19, 2017 at 14:57 UTC

    Intriguing, though a bit technical for me to grasp. I update the OS religiously, and this might have been a trigger. Currently seem to be on Perl v5.24.1.

Re^5: 'do' command is dead? Surely not?
by KurtZ (Monk) on May 19, 2017 at 14:53 UTC
    Recent versions of Perl (v5.24.1+) removed '.' from @INC,

    Ehm , why?

      Because something as seemingly safe as use strict can load strict.pm from the current working directory, which might be somewhere globally writable like "/tmp/".

      There was apparently a real-world way of exploiting this to do nasty stuff, but the Perl development team haven't yet publicly disclosed what it is. I imagine it's an exploit in some commonly used Perl web app like cPanel or Webmin. They do plan on releasing the info eventually, once they've decided people have had enough time to move to newer Perl versions which don't have "." in @INC by default.

        I see, thanks. :)

        That sounds false, cause . was last in @INC for a long time, so strict.pm from /tmp is not a situation that could have happened

      Here's one blog post that describes some background of the situation. Here's a blog post from Brian D. Foy talking about '.' being removed from @INC in 5.26.

      Also, it's documented in the perldelta for 5.24.1.

      And there's also a CVE for this issue too (CVE-2016-1238).

        Great thanks!

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1190628]
help
Chatterbox?
holli scratches his head
holli feels silly

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (3)
As of 2017-09-24 14:24 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    During the recent solar eclipse, I:









    Results (274 votes). Check out past polls.

    Notices?