https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717
--- Comment #58 from Tomás Cohen Arazi <[email protected]> --- (In reply to Marco Moreno from comment #57) > Hmmm...I'm now reconsidering this and wonder if option #3 is really the best > solution by removing '.' from @INC. > > You made a good point about /tmp being a concern. This, plus the fact that > they have removed '.' from @INC in recent versions of Perl, has convinced me > that having '.' in @INC is generally a very bad idea and a major security > concern. > > Therefore, I want to propose revisiting comment #40 which removes '.' from > @INC in a common library early in the bootstrapping process. This > effectively undoes the "feature" added in Perl 5.18 and removed in Perl > 5.26. Additionally, this prevents exploits that attempt to insert '.' via > PERL5LIB. I considered that option. But we would need to do it on every script, and we would also be changing the current behaviour. Someone might be using their own lib (or version of some lib) on purpose and we'd be breaking them. So, for the general user base, we should stick with the cleaner solution IMHO. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
