From: Dan Boger <[EMAIL PROTECTED]>
Date: Fri, 14 Jul 2006 09:40:18 -0400
On Fri, Jul 14, 2006 at 09:33:14AM -0400, Bill Ricker wrote:
> > > Specifically, can the *.pmc file be in a different directory than
> > > the *.pm file that was intended to be used?
>
> If it were implemented exactly as Audrey said, it would -- if checking
> for $Module.pmc first, then for $Module.pm , which doubles the number
> of fstats to (upto) 2*scalar @INC. Possibly to avoid this security
> issue, possibly to buy back the overhead, it appears to have been
> implemented in a more efficient fashion :
>
> > A quick test seems to say no:
>
> That's hopeful. That implies it fstats PMC only after finding a PM but
> before reading the PM, and reduces the suggested 2xfstat overhead
> greatly. This could be verified with strace/truss.
And strace shows it does chech for a .pmc in every member of @INC:
It kinda has to do that, since otherwise it wouldn't be able to find a
Perl package that was distributed only as "*.pmc" files.
So this could be a security hole if a trojaned Dumper.pmc was
inserted into an @INC dir before the Dumper.pm dir. But since all of
the default @INC dirs are only writable by root (assuming your distro is
sane), this is only a hole if you explicitly 'use lib' to include
someplace that is not under your control.
Except ".", which comes last. This WOULD cause a security problem if
Perl searched all directories for "*.pmc" files before searching for any
"*.pm" files. So I think Perl is doing the right thing.
-- Bob Rogers
http://rgrjr.dyndns.org/
_______________________________________________
Boston-pm mailing list
[email protected]
http://mail.pm.org/mailman/listinfo/boston-pm
