Perl:为什么.在Debian 9中不再是@INC的一部分了吗?

前端之家收集整理的这篇文章主要介绍了Perl:为什么.在Debian 9中不再是@INC的一部分了吗?前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
在安装Debian 9时我发现了这一点.不再是@INC的一部分了.

为x86_64-linux-gnu-thread-multi构建的Perl(v5.24.1)

Built under linux
Compiled at Jan 15 2017 23:35:20
@INC:
 /etc/perl
 /usr/local/share/perl/5.24.1
 /usr/lib/x86_64-linux-gnu/perl5/5.24
 /usr/share/perl5
 /usr/lib/x86_64-linux-gnu/perl/5.24
 /usr/share/perl/5.24
 /usr/local/lib/site_perl
 /usr/lib/x86_64-linux-gnu/perl-base

有谁知道为什么?

解决方法

因为.已从@INC中删除5.24.1中的核心模块.这是一个安全功能,以防止 this blog post谈论的漏洞利用.

In February,I opened a ticket with Perl 5 Porters to get them to accept a non-default option to remove . from @INC. Unfortunately,I was beaten to the punch and an exploit was disclosed to Perl 5 Security. TL;DR: There are now known insecurities about having . in @INC.

该变更记录在perldelta的5.24.1中.

This prevents an attacker injecting an optional module into a process run by another user where the current directory is writable by the attacker,e.g. the /tmp directory.

它很可能是be removed completely in 5.26 Here’s more discussion在p5p邮件列表上,取自this blog post.

Here are (some of) the commits进行了这些更改.

Perl Pumpkin Sawyer X也在the talk Perl 5.24,5.26,and the Future of Perl 5 he gave at FOSDEM 2017. Here is the recording解释了这一点.

1)all videos from the Perl room at FOSDEM 2017

猜你在找的Perl相关文章