https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717

--- Comment #57 from Marco Moreno <mmor...@pobox.com> ---
Hmmm...I'm now reconsidering this and wonder if option #3 is really the best
solution by removing '.' from @INC.

You made a good point about /tmp being a concern.  This, plus the fact that
they have removed '.' from @INC in recent versions of Perl, has convinced me
that having '.' in @INC is generally a very bad idea and a major security
concern.

Therefore, I want to propose revisiting comment #40 which removes '.' from @INC
in a common library early in the bootstrapping process.  This effectively
undoes the "feature" added in Perl 5.18 and removed in Perl 5.26. 
Additionally, this prevents exploits that attempt to insert '.' via PERL5LIB.

It is a single line of code, does nothing if '.' doesn't exist in @INC, and
doesn't require modifying crons.

-- 
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to