On Fri, Jul 14, 2006 at 08:29:52AM -0400, Tolkin, Steve wrote:
> I read Audrey's Tang blog and some things it linked to. Great stuff.
> I learned that *.pmc files have precedence over *.pm files. Does this
> introduce a security issue, i.e. anything new beyond the existing
> risks? I wonder if an evil *.pmc file might not even be noticed when
> searching for a problem, due to its unusual extension.
>
> Specifically, can the *.pmc file be in a different directory than the
> *.pm file that was intended to be used?
A quick test seems to say no:
[EMAIL PROTECTED] perl -MData::Dumper -le 'unshift @INC, "."; print
$INC{"Data/Dumper.pm"}; print Dumper [EMAIL PROTECTED]'
/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/Data/Dumper.pm
$VAR1 = [
'.',
....
'/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi',
....
];
[EMAIL PROTECTED] cat > Data/Dumper.pmc
package Data::Dumper;
1;
[EMAIL PROTECTED] perl -MData::Dumper -le 'unshift @INC, "."; print
$INC{"Data/Dumper.pm"}; print Dumper [EMAIL PROTECTED]'
/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/Data/Dumper.pm
$VAR1 = [
'.',
....
'/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi',
....
];
[EMAIL PROTECTED] sudo cp Data/Dumper.pmc
/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/Data/Dumper.pmc
[EMAIL PROTECTED] perl -MData::Dumper -le 'unshift @INC, "."; print
$INC{"Data/Dumper.pm"}; print Dumper [EMAIL PROTECTED]'
/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/Data/Dumper.pm
[EMAIL PROTECTED]
--
Dan Boger
[EMAIL PROTECTED]
_______________________________________________
Boston-pm mailing list
[email protected]
http://mail.pm.org/mailman/listinfo/boston-pm
