Re: [exim-dev] Popping '.' from @INC

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Todd Rinaldo
Data:  
Para: Heiko Schlittermann
CC: exim-dev
Asunto: Re: [exim-dev] Popping '.' from @INC

> On Feb 14, 2017, at 2:48 AM, Heiko Schlittermann <hs@???> wrote:
>
> Phil Pennock <pdp@???> (So 12 Feb 2017 12:30:48 CET):
>> On 2017-02-12 at 11:30 +0100, Heiko Schlittermann wrote:
>>> I saw, that '.' now gets pop()ed from @INC in various Perl scripts.
>>>
>>> Is there a special reason doing so? If we'd deal with security in mind,
>>> we should use Perl's taint mode to make the scripts more secure.
>>
>> Root invokes these scripts, often for messing with queue analysis.
>> Invoking them in /tmp is entirely reasonable. Other people can write to
>> /tmp, so letting people have code be run as root because root invoked an
>> Exim tool while in /tmp is poor form.
>
> Yes. But '.' is the last in the @INC array.
> So, if Perl looks for a module in '.', it already failed finding it in
> all the other (system) locations.
>
> If we remove '.' from the @INC array, we should care about other
> positions too, not only the last position.
>
>    BEGIN {
>        @INC = grep { !/^[.]$/ } @INC
>    }

>
> But this prevents a developer from temporarly using '.' in the very
> first position of @INC for testing purpose as in
>
>    perl -Mlib='.' exigrep
> or
>    PERL5LIB='.' exigrep

>
> But, as it's a developer, one can use
>
>    PERL5LIB=$(pwd) exigrep

>
>
> Conclusion: removing the DOT is appreciated, but, if doing so, it should
> be done completly, shouldn't it?
>


As the script maintainer, you're in a unique position to make a more directed decision that p5p was able to make. Removing . from the end of @INC was about getting rid of the tyrannical default. Ideally you would want to remove ALL relative paths. If you want to go buck wild, I'd recommend removing ALL relative paths from @INC.

   BEGIN {
       @INC = grep { !/^[.]/ } @INC
   }


I'm sure there's 1 person in the world you'll annoy but I bet you never even hear from them.

Todd