Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling

Re^2: use lib './' security safe?

by hbo (Monk)
on Jul 20, 2004 at 05:24 UTC ( #375810=note: print w/replies, xml ) Need Help??

in reply to Re: use lib './' security safe?
in thread use lib './' security safe?

Sorry you had an unproductive day. I've had a few like that myself.

After correcting myself and being corrected by others, I beg to differ slightly with your final conclusion.

use lib "./";
actually does have security implications. If "./" is first in the module searh list, then a file called,for example, "," in the directory your script runs in, would alter the effect a use CGI; directive would have, if it appeared after the first use statement. In other words, you could be vulnerable to a trojan horse attack.

Of course, since "./" appears in the load path by default after all the other paths, this danger is considerably lessened. But for myself, I still dislike relying on a relative path to load code. When you don't have absolute control of the working directory your script will run from, it's better to use absolute paths for security's sake.

Replies are listed 'Best First'.
Re^3: use lib './' security safe?
by Ven'Tatsu (Deacon) on Jul 20, 2004 at 14:00 UTC

    I don't think that '.' in @INC is a security risk in the same way as '.' in $ENV{PATH} would be.

    With PATH there is a risk of root cd'ing into a directory and running a trojaned ls compromising the system. An attacker might have write access to their home directory, which would be expected (under the assumption that the attacker is an authorised user)

    With @INC if the attacker can write a trojaned then they would have write access to the directory, and the could just as easily unlink the script it self and replace it with a trojaned version.

    Correct me if I'm missing something.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://375810]
[Corion]: :-D
Corion discovers a new shiny toy to try out over the (longish) weekend. Since I've done some more with websockets, maybe I'll try writing a webserver that implements hot-reloading of HTML(+CSS, +Javascript) in the browser. Edit the local file and ...
[Corion]: ... the browser(s) get a ping to a) refresh the page or b) reload "just" the changed parts, keeping the scroll position etc.
[Corion]: But I also have to look at how I can make WWW::Mechanize:: RemoteBrowser a reality, and how to make it safe from malicious content ;)
[Corion]: Part of wanting hot-reloading is that I think I've stumbled on a very simple set of CSS that I maybe want to use for a blog, but I want to try that out on mobile too, and I also want to add/modify it slightly so it has a header too...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (8)
As of 2018-04-26 10:45 GMT
Find Nodes?
    Voting Booth?