Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re^5: 'do' command is dead? Surely not?

by KurtZ (Pilgrim)
on May 19, 2017 at 14:53 UTC ( #1190635=note: print w/replies, xml ) Need Help??


in reply to Re^4: 'do' command is dead? Surely not?
in thread 'do' command is dead? Surely not?

Recent versions of Perl (v5.24.1+) removed '.' from @INC,

Ehm , why?

  • Comment on Re^5: 'do' command is dead? Surely not?

Replies are listed 'Best First'.
Re^6: 'do' command is dead? Surely not?
by tobyink (Abbot) on May 19, 2017 at 15:09 UTC

    Because something as seemingly safe as use strict can load strict.pm from the current working directory, which might be somewhere globally writable like "/tmp/".

    There was apparently a real-world way of exploiting this to do nasty stuff, but the Perl development team haven't yet publicly disclosed what it is. I imagine it's an exploit in some commonly used Perl web app like cPanel or Webmin. They do plan on releasing the info eventually, once they've decided people have had enough time to move to newer Perl versions which don't have "." in @INC by default.

      I see, thanks. :)

      That sounds false, cause . was last in @INC for a long time, so strict.pm from /tmp is not a situation that could have happened

        Maybe not strict.pm but some other (optional) module that was not present in the original system could still be loaded from /tmp.

Re^6: 'do' command is dead? Surely not?
by dasgar (Curate) on May 19, 2017 at 18:24 UTC

    Here's one blog post that describes some background of the situation. Here's a blog post from Brian D. Foy talking about '.' being removed from @INC in 5.26.

    Also, it's documented in the perldelta for 5.24.1.

    And there's also a CVE for this issue too (CVE-2016-1238).

      Great thanks!

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1190635]
help
Chatterbox?
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (4)
As of 2017-10-23 23:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My fridge is mostly full of:

















    Results (285 votes). Check out past polls.

    Notices?