> On Feb 14, 2017, at 2:48 AM, Heiko Schlittermann <[email protected]>
> wrote:
>
> Phil Pennock <[email protected]> (So 12 Feb 2017 12:30:48 CET):
>> On 2017-02-12 at 11:30 +0100, Heiko Schlittermann wrote:
>>> I saw, that '.' now gets pop()ed from @INC in various Perl scripts.
>>>
>>> Is there a special reason doing so? If we'd deal with security in mind,
>>> we should use Perl's taint mode to make the scripts more secure.
>>
>> Root invokes these scripts, often for messing with queue analysis.
>> Invoking them in /tmp is entirely reasonable. Other people can write to
>> /tmp, so letting people have code be run as root because root invoked an
>> Exim tool while in /tmp is poor form.
>
> Yes. But '.' is the last in the @INC array.
> So, if Perl looks for a module in '.', it already failed finding it in
> all the other (system) locations.
>
> If we remove '.' from the @INC array, we should care about other
> positions too, not only the last position.
>
> BEGIN {
> @INC = grep { !/^[.]$/ } @INC
> }
>
> But this prevents a developer from temporarly using '.' in the very
> first position of @INC for testing purpose as in
>
> perl -Mlib='.' exigrep
> or
> PERL5LIB='.' exigrep
>
> But, as it's a developer, one can use
>
> PERL5LIB=$(pwd) exigrep
>
>
> Conclusion: removing the DOT is appreciated, but, if doing so, it should
> be done completly, shouldn't it?
>
As the script maintainer, you're in a unique position to make a more directed
decision that p5p was able to make. Removing . from the end of @INC was about
getting rid of the tyrannical default. Ideally you would want to remove ALL
relative paths. If you want to go buck wild, I'd recommend removing ALL
relative paths from @INC.
BEGIN {
@INC = grep { !/^[.]/ } @INC
}
I'm sure there's 1 person in the world you'll annoy but I bet you never even
hear from them.
Todd
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
