summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTony Cook <tony@develop-help.com>2016-07-19 11:34:17 +1000
committerSteve Hay <steve.m.hay@googlemail.com>2016-07-25 10:12:23 +0100
commit19bd0fa9e7268afaaa15d6b8ba1080efcf740443 (patch)
tree7ae628d7127dae306b584b1db75539a8b5bf029c
parent7c3b0dfedc689b14211a4f0445d788c7d829256c (diff)
downloadperl-19bd0fa9e7268afaaa15d6b8ba1080efcf740443.tar.gz
(perl #127834) perldelta for . in @INC changes
-rw-r--r--pod/perldelta.pod74
-rw-r--r--t/porting/known_pod_issues.dat1
2 files changed, 75 insertions, 0 deletions
diff --git a/pod/perldelta.pod b/pod/perldelta.pod
index 23646bdb2c..fada92e700 100644
--- a/pod/perldelta.pod
+++ b/pod/perldelta.pod
@@ -32,6 +32,80 @@ If perl is running setuid or the B<-T> switch was supplied C<PERLIO_DEBUG> is
ignored and the debugging output is sent to C<stderr> as for any other B<-D>
switch.
+=head2 Core modules and tools no longer search C<.> for optional modules
+
+The tools and many modules supplied in core no longer search the
+default current directory entry in @INC for optional modules, for
+example, L<Storable> will remove the final C<"."> from C<@INC> before
+trying to load L<Log::Agent>.
+
+This prevents an attacker injecting an optional module into a process
+run by another user where the current directory is writable by the
+attacker, eg. the F</tmp> directory.
+
+In most cases this removal should not cause problems, the exception
+being L<base>.
+
+C<base> treats every module name supplied as optional - if you have
+applications that use C<base> to load non-optional modules from the
+current directory you will need to modify your code or environment.
+
+If your code always trusts the contents of the current directory, the
+simplest change is adding C<"."> to C<PERL5LIB>:
+
+ # for Bourne shell and similar
+ set PERL5LIB=.
+ export PERL5LIB
+
+If you do B<not> trust the current directory this will open your code
+up to attacks on any module load, not just optional modules. You may
+want to add the absoluete path of your application's module directory
+to C<PERL5LIB> instead.
+
+Alternatively you can change your code, either to add the directory
+with your binary to C<@INC>:
+
+ use FindBin;
+ use lib $FindBin::Bin;
+
+or switch to C<parent>, which requires an explicit parameter for
+optional modules:
+
+ use parent 'Nonoptional::Module';
+
+though this will have the same problem if the current directory is
+removed from C<@INC> in perl 5.26.
+
+Also, since C<base> now localizes C<@INC> when loading modules changes
+to C<@INC> in the loaded module will be discarded when C<@INC> is
+restored to its previous value.
+
+To protect your own code from this attack either remove the default
+C<"."> entry from C<@INC> at the start of your script, so:
+
+ #!/usr/bin/perl
+ use strict;
+ ...
+
+becomes:
+
+ #!/usr/bin/perl
+ BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ ...
+
+or for modules, remove C<"."> from a localized C<@INC>, so:
+
+ my $can_foo = eval { require Foo; }
+
+becomes:
+
+ my $can_foo = eval {
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
+ require Foo;
+ };
+
=head1 Incompatible Changes
There are no changes intentionally incompatible with Perl 5.24.0. If any
diff --git a/t/porting/known_pod_issues.dat b/t/porting/known_pod_issues.dat
index 4f1379b262..162de81cbc 100644
--- a/t/porting/known_pod_issues.dat
+++ b/t/porting/known_pod_issues.dat
@@ -152,6 +152,7 @@ List::Gather
listen(2)
local::lib
lockf(3)
+Log::Agent
Log::Message
Log::Message::Config
Log::Message::Handlers