On Thu, Sep 08, 2016 at 02:04:21PM +0300, Lars Wirzenius wrote: > On Thu, Sep 08, 2016 at 11:55:26AM +0100, Dimitri John Ledkov wrote: > > On 29 August 2016 at 14:39, Dominic Hargreaves <d...@earth.li> wrote: > > > tl;dr: '.' is being removed from perl's @INC by default; some breakage > > > in apps expected. > > > > > > For some years[1], it's been known that perl's habit of including '.' > > > in its module load path, (@INC) is potentially dangerous, since it > > > can allow untrusted code to be run under certain circumstances. However, > > > for most of that time it wasn't taken that seriously, particularly as the > > > fix is quite disruptive. > > > > Other languages do that too. E.g. python, Doesn't python have the same > > concerns then too? > > Python doesn't put . in sys.path (the search path for imported > modules). It puts the absolute path where the script was found as the > first element.
Although, there were similar problem when embedding Python in other programs. See CVE-2008-5983[0] for the Python side of the issue. There were also various CVE's at the time for the programs that were doing the embedding (like Vim[1], X-Chat[2], etc.). [0]: https://security-tracker.debian.org/CVE-2008-5983 [1]: https://security-tracker.debian.org/CVE-2009-3916 [2]: https://security-tracker.debian.org/CVE-2009-3915 Cheers, -- James GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
