Re: [exim-dev] Popping '.' from @INC

> On Feb 12, 2017, at 5:30 AM, Phil Pennock <pdp@???> wrote:
>
> On 2017-02-12 at 11:30 +0100, Heiko Schlittermann wrote:
>> I saw, that '.' now gets pop()ed from @INC in various Perl scripts.
>>
>> Is there a special reason doing so? If we'd deal with security in mind,
>> we should use Perl's taint mode to make the scripts more secure.
>
> Root invokes these scripts, often for messing with queue analysis.
> Invoking them in /tmp is entirely reasonable. Other people can write to
> /tmp, so letting people have code be run as root because root invoked an
> Exim tool while in /tmp is poor form.
>
> Taint mode deals with when the invoker's environment is not trusted.
> It's excellent for daemons, CGIs, network protocol clients, etc. It's
> less useful for CLI tools which don't talk to untrusted services. I'm
> not opposed to it I just don't see the point here.
>
> Taint mode doesn't really protect against @INC being stupid.
>
> Other scripting languages have things like "the directory where the
> script was found is also in sys.path/whatever"; AFAIK only Perl puts the
> _current_ directory into @INC.
>

Phil,

Perfect assessment! I've been working on mitigating some of the @INC issues in the Perl Community. You're spot on for why you would do it and the benefits of doing so.

Todd