> On Feb 12, 2017, at 5:30 AM, Phil Pennock <[email protected]> wrote: > > On 2017-02-12 at 11:30 +0100, Heiko Schlittermann wrote: >> I saw, that '.' now gets pop()ed from @INC in various Perl scripts. >> >> Is there a special reason doing so? If we'd deal with security in mind, >> we should use Perl's taint mode to make the scripts more secure. > > Root invokes these scripts, often for messing with queue analysis. > Invoking them in /tmp is entirely reasonable. Other people can write to > /tmp, so letting people have code be run as root because root invoked an > Exim tool while in /tmp is poor form. > > Taint mode deals with when the invoker's environment is not trusted. > It's excellent for daemons, CGIs, network protocol clients, etc. It's > less useful for CLI tools which don't talk to untrusted services. I'm > not opposed to it I just don't see the point here. > > Taint mode doesn't really protect against @INC being stupid. > > Other scripting languages have things like "the directory where the > script was found is also in sys.path/whatever"; AFAIK only Perl puts the > _current_ directory into @INC. >
Phil, Perfect assessment! I've been working on mitigating some of the @INC issues in the Perl Community. You're spot on for why you would do it and the benefits of doing so. Todd -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
