https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7367

--- Comment #8 from jida...@jidanni.org ---
Debian$ man perlvar

       @INC    The array @INC contains the list of places that the "do EXPR",
               "require", or "use" constructs look for their library files.
               It initially consists of the arguments to any -I command-line
               switches, followed by the default Perl library, probably
               /usr/local/lib/perl, followed by ".", to represent the current
               directory.  ("." will not be appended if taint checks are
               enabled, either by "-T" or by "-t".)  In Debian, '.' is removed
               by /etc/perl/sitecustomize.pl by default, as a prelude to it
               being removed upstream in a future release. If you need to
               modify @INC at runtime, you should use the "use lib" pragma to
               get the machine-dependent library properly loaded also:

                   use lib '/mypath/libdir/';
                   use SomeMod;

               You can also insert hooks into the file inclusion system by
               putting Perl code directly into @INC.  Those hooks may be
               subroutine references, array references or blessed objects.
               See "require" in perlfunc for details.

Debian$ cat /etc/perl/sitecustomize.pl

# This script is only provided as a transition mechanism for
# removing the current working directory from the library search path
# while leaving a temporary way to override this locally.
#
# If you really need "." to be on @INC globally, you can comment
# this away for now. However, please note that this facility
# is expected to be removed after the Debian stretch release,
# at which point any code in this file will not have any effect.
#
# Please see CVE-2016-1238 for background information on the risks
# of having "." on @INC.

pop @INC if $INC[-1] eq '.' and !$ENV{PERL_USE_UNSAFE_INC};

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to