#1589: Move . to the end of the library search path
--------------------+-------------------------------------------------------
Reporter: sorear | Type: bug
Status: new | Priority: normal
Milestone: | Component: none
Version: 2.3.0 | Severity: high
Keywords: | Lang:
Patch: | Platform:
--------------------+-------------------------------------------------------
Here's a snippet of strace output after I accidentally ran parrot-nqp in a
directory with a Regex.pbc file:
{{{
stat64("./Regex.pbc", {st_mode=S_IFREG|0644, st_size=100432, ...}) = 0
open("./Regex.pbc", O_RDONLY|O_LARGEFILE) = 3
stat64("./P6object.pbc", 0xbf9ee9bc) = -1 ENOENT (No such file or
directory)
stat64("./P6object.pir", 0xbf9ee9bc) = -1 ENOENT (No such file or
directory)
stat64("./P6object.pasm", 0xbf9ee9bc) = -1 ENOENT (No such file or
directory)
stat64("./P6object.pbc", 0xbf9ee9bc) = -1 ENOENT (No such file or
directory)
stat64("/usr/local/./P6object.pbc", 0xbf9ee9bc) = -1 ENOENT (No such file
or directory)
stat64("/usr/local/./P6object.pir", 0xbf9ee9bc) = -1 ENOENT (No such file
or directory)
stat64("/usr/local/./P6object.pasm", 0xbf9ee9bc) = -1 ENOENT (No such file
or directory)
stat64("/usr/local/./P6object.pbc", 0xbf9ee9bc) = -1 ENOENT (No such file
or directory)
stat64("/usr/local/lib/parrot/2.3.0-devel/library/P6object.pbc",
{st_mode=S_IFREG|0644, st_size=18448, ...}) = 0
stat64("/usr/local/lib/parrot/2.3.0-devel/library/P6object.pbc",
{st_mode=S_IFREG|0644, st_size=18448, ...}) = 0
stat64("/usr/local/lib/parrot/2.3.0-devel/library/P6object.pbc",
{st_mode=S_IFREG|0644, st_size=18448, ...}) = 0
stat64("/usr/local/lib/parrot/2.3.0-devel/library/P6object.pbc",
{st_mode=S_IFREG|0644, st_size=18448, ...}) = 0
open("/usr/local/lib/parrot/2.3.0-devel/library/P6object.pbc",
O_RDONLY|O_LARGEFILE) = 3
}}}
Parrot has taken Regex.pbc in the current directory before even checking
for it in the standard libraries. The same behavior occurs with all other
Parrot-based programs which use installed libraries. This provides an
attack vector against Parrot users:
1. Wait for Perl6-on-Parrot to hit the big time.
1. Distribute a shady tarball containing a malicious P6Regex.pbc inside
it.
1. The victim unpacks the tarball and attempts to analyze the contents.
1. The user runs his Perl 6 based editor.
1. Rakudo loads Perl6.pbc from the current directory. My code is now
running.
It's probably best to follow Perl 5's example here:
{{{
$ perl -V
...
@INC:
/usr/local/lib/perl5/site_perl/5.12.0/i686-linux-thread-multi
/usr/local/lib/perl5/site_perl/5.12.0
/usr/local/lib/perl5/5.12.0/i686-linux-thread-multi
/usr/local/lib/perl5/5.12.0
.
}}}
With the current directory at the end, installed programs which use only
installed libraries will never be tricked into running code in the current
directory. Hopefully it is not too common for installed programs to
reference nonexistant libraries.
--
Ticket URL: <https://trac.parrot.org/parrot/ticket/1589>
Parrot <https://trac.parrot.org/parrot/>
Parrot Development
_______________________________________________
parrot-tickets mailing list
[email protected]
http://lists.parrot.org/mailman/listinfo/parrot-tickets
