(perl #127834) perldelta for . in @INC changes

2 files changed, 75 insertions, 0 deletions

diff --git a/pod/perldelta.pod b/pod/perldelta.pod
index 23646bdb2c..fada92e700 100644
--- a/pod/perldelta.pod
+++ b/pod/perldelta.pod
@@ -32,6 +32,80 @@ If perl is running setuid or the B<-T> switch was supplied C<PERLIO_DEBUG> is
 ignored and the debugging output is sent to C<stderr> as for any other B<-D>
 switch.
 
+=head2 Core modules and tools no longer search C<.> for optional modules
+
+The tools and many modules supplied in core no longer search the
+default current directory entry in @INC for optional modules, for
+example, L<Storable> will remove the final C<"."> from C<@INC> before
+trying to load L<Log::Agent>.
+
+This prevents an attacker injecting an optional module into a process
+run by another user where the current directory is writable by the
+attacker, eg. the F</tmp> directory.
+
+In most cases this removal should not cause problems, the exception
+being L<base>.
+
+C<base> treats every module name supplied as optional - if you have
+applications that use C<base> to load non-optional modules from the
+current directory you will need to modify your code or environment.
+
+If your code always trusts the contents of the current directory, the
+simplest change is adding C<"."> to C<PERL5LIB>:
+
+  # for Bourne shell and similar
+  set PERL5LIB=.
+  export PERL5LIB
+
+If you do B<not> trust the current directory this will open your code
+up to attacks on any module load, not just optional modules.  You may
+want to add the absoluete path of your application's module directory
+to C<PERL5LIB> instead.
+
+Alternatively you can change your code, either to add the directory
+with your binary to C<@INC>:
+
+  use FindBin;
+  use lib $FindBin::Bin;
+
+or switch to C<parent>, which requires an explicit parameter for
+optional modules:
+
+  use parent 'Nonoptional::Module';
+
+though this will have the same problem if the current directory is
+removed from C<@INC> in perl 5.26.
+
+Also, since C<base> now localizes C<@INC> when loading modules changes
+to C<@INC> in the loaded module will be discarded when C<@INC> is
+restored to its previous value.
+
+To protect your own code from this attack either remove the default
+C<"."> entry from C<@INC> at the start of your script, so:
+
+  #!/usr/bin/perl
+  use strict;
+  ...
+
+becomes:
+
+  #!/usr/bin/perl
+  BEGIN { pop @INC if $INC[-1] eq '.' }
+  use strict;
+  ...
+
+or for modules, remove C<"."> from a localized C<@INC>, so:
+
+  my $can_foo = eval { require Foo; }
+
+becomes:
+
+  my $can_foo = eval {
+      local @INC = @INC;
+      pop @INC if $INC[-1] eq '.';
+      require Foo;
+  };
+
 =head1 Incompatible Changes
 
 There are no changes intentionally incompatible with Perl 5.24.0.  If any
diff --git a/t/porting/known_pod_issues.dat b/t/porting/known_pod_issues.dat
index 4f1379b262..162de81cbc 100644
--- a/t/porting/known_pod_issues.dat
+++ b/t/porting/known_pod_issues.dat
@@ -152,6 +152,7 @@ List::Gather
 listen(2)
 local::lib
 lockf(3)
+Log::Agent
 Log::Message
 Log::Message::Config
 Log::Message::Handlers