diff options
author | Tony Cook <tony@develop-help.com> | 2016-07-19 11:34:17 +1000 |
---|---|---|
committer | Steve Hay <steve.m.hay@googlemail.com> | 2016-07-25 10:12:23 +0100 |
commit | 19bd0fa9e7268afaaa15d6b8ba1080efcf740443 (patch) | |
tree | 7ae628d7127dae306b584b1db75539a8b5bf029c | |
parent | 7c3b0dfedc689b14211a4f0445d788c7d829256c (diff) | |
download | perl-19bd0fa9e7268afaaa15d6b8ba1080efcf740443.tar.gz |
(perl #127834) perldelta for . in @INC changes
-rw-r--r-- | pod/perldelta.pod | 74 | ||||
-rw-r--r-- | t/porting/known_pod_issues.dat | 1 |
2 files changed, 75 insertions, 0 deletions
diff --git a/pod/perldelta.pod b/pod/perldelta.pod index 23646bdb2c..fada92e700 100644 --- a/pod/perldelta.pod +++ b/pod/perldelta.pod @@ -32,6 +32,80 @@ If perl is running setuid or the B<-T> switch was supplied C<PERLIO_DEBUG> is ignored and the debugging output is sent to C<stderr> as for any other B<-D> switch. +=head2 Core modules and tools no longer search C<.> for optional modules + +The tools and many modules supplied in core no longer search the +default current directory entry in @INC for optional modules, for +example, L<Storable> will remove the final C<"."> from C<@INC> before +trying to load L<Log::Agent>. + +This prevents an attacker injecting an optional module into a process +run by another user where the current directory is writable by the +attacker, eg. the F</tmp> directory. + +In most cases this removal should not cause problems, the exception +being L<base>. + +C<base> treats every module name supplied as optional - if you have +applications that use C<base> to load non-optional modules from the +current directory you will need to modify your code or environment. + +If your code always trusts the contents of the current directory, the +simplest change is adding C<"."> to C<PERL5LIB>: + + # for Bourne shell and similar + set PERL5LIB=. + export PERL5LIB + +If you do B<not> trust the current directory this will open your code +up to attacks on any module load, not just optional modules. You may +want to add the absoluete path of your application's module directory +to C<PERL5LIB> instead. + +Alternatively you can change your code, either to add the directory +with your binary to C<@INC>: + + use FindBin; + use lib $FindBin::Bin; + +or switch to C<parent>, which requires an explicit parameter for +optional modules: + + use parent 'Nonoptional::Module'; + +though this will have the same problem if the current directory is +removed from C<@INC> in perl 5.26. + +Also, since C<base> now localizes C<@INC> when loading modules changes +to C<@INC> in the loaded module will be discarded when C<@INC> is +restored to its previous value. + +To protect your own code from this attack either remove the default +C<"."> entry from C<@INC> at the start of your script, so: + + #!/usr/bin/perl + use strict; + ... + +becomes: + + #!/usr/bin/perl + BEGIN { pop @INC if $INC[-1] eq '.' } + use strict; + ... + +or for modules, remove C<"."> from a localized C<@INC>, so: + + my $can_foo = eval { require Foo; } + +becomes: + + my $can_foo = eval { + local @INC = @INC; + pop @INC if $INC[-1] eq '.'; + require Foo; + }; + =head1 Incompatible Changes There are no changes intentionally incompatible with Perl 5.24.0. If any diff --git a/t/porting/known_pod_issues.dat b/t/porting/known_pod_issues.dat index 4f1379b262..162de81cbc 100644 --- a/t/porting/known_pod_issues.dat +++ b/t/porting/known_pod_issues.dat @@ -152,6 +152,7 @@ List::Gather listen(2) local::lib lockf(3) +Log::Agent Log::Message Log::Message::Config Log::Message::Handlers |