On Wed, 7 Feb 2001, Brian Ingerson wrote:
> I'm just not convinced that the config file is a security threat. Sure
> you could put evil code in it, but it's not my job to keep you from
> shooting yourself in the head. My job is just to keep others from
> fragging you to smithereens. If someone can change your config they
> probably have access to do a lot worse.
I may be misreading the code, but it looks like changing someone else's
config file isn't even necessary. Suppose a malicious user populates his
directory tree with config files:
/home/blackhat/.Inline/config
/home/blackhat/foo/.Inline/config
/home/blackhat/foo/bar/.Inline/config
etc...
Then root goes into this directory tree and runs a nifty sysadmin tool
written in Perl+Inline. If Inline evals the content of the config file
based off the current directory, blackhat suddenly has root access.
I think this is the same reason -T removes '.' from @INC.
--
Tim Gim Yee
[EMAIL PROTECTED]
