Geek Answers Handbook

Why doesn't Perl want to require specific files when running under -T?

I recently noticed that on my system it is not possible to require 'lib/file.pl' when working in -T , but require './lib/file.pl' works.

 $ perl -wT -e 'require "lib/file.pl";' Can't locate lib/file.pl in @INC (@INC contains: /usr/lib/perl5/site_perl/5.14.2/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.14.2 /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.14.2 /usr/lib/perl5/5.14.2/x86_64-linux-thread-multi /usr/lib/perl5/5.14.2 /usr/lib/perl5/site_perl/5.14.2/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.14.2 /usr/lib/perl5/site_perl) $ perl -wT -e 'require "lib/file.pl"'

Running without -T works both ways: $ perl -w -e 'requires "lib / file.pl"' $ perl -w -e 'requires "./lib/file.pl"'

In taint mode . not included in @INC .

 perl -w -e 'print "@INC"' [..snip..] /usr/lib/perl5/site_perl/5.14.2 /usr/lib/perl5/site_perl . perl -wT -e 'print "@INC"' [..snip..] /usr/lib/perl5/site_perl/5.14.2 /usr/lib/perl5/site_perl

I could not find this behavior in the document. Can someone tell me where this is documented, or why -T doesn't like it . How is the lib directory?

+4
source share
1 answer

Erm ... this is actually well documented , I suppose:

When taint (-T), "." the directory is removed from @INC, and the PERL5LIB and PERLLIB environment variables are ignored by Perl. You can still configure @INC outside the program using the -I command line option, as described in perlrun.

... but I think only half the answer. The reasons for this decision are given here :

... the problem with @INC is really more related to SUID scripts than CGI scripts. When you have a SUID script that can be executed with the permission of another user (for example, root), Perl switches to taintmode automatically.

For this case, a SUID script would be a huge security breach to the ability to load libraries from the user's current directory. If the script ends with an error where the library was not found in the normal directory path, then the user can use this by writing his own, malicious version of the library, placing it in the current directory and running the SUID script from their current directory.

However, this is not exactly the same problem with CGI scripts. Users do not execute your script from arbitrary directories. Your network is the server from which the script is being called. Keeping a "" in @INC is not really a problem compared to SUID scripts that automatically work in taint mode.

+12
source

More articles:


All Articles