为x86_64-linux-gnu-thread-multi构建的Perl(v5.24.1)
Built under linux Compiled at Jan 15 2017 23:35:20 @INC: /etc/perl /usr/local/share/perl/5.24.1 /usr/lib/x86_64-linux-gnu/perl5/5.24 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.24 /usr/share/perl/5.24 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base
有谁知道为什么?
解决方法
In February,I opened a ticket with Perl 5 Porters to get them to accept a non-default option to remove . from @INC. Unfortunately,I was beaten to the punch and an exploit was disclosed to Perl 5 Security. TL;DR: There are now known insecurities about having . in @INC.
该变更记录在perldelta的5.24.1中.
This prevents an attacker injecting an optional module into a process run by another user where the current directory is writable by the attacker,e.g. the /tmp directory.
它很可能是be removed completely in 5.26 Here’s more discussion在p5p邮件列表上,取自this blog post.
Here are (some of) the commits进行了这些更改.
Perl Pumpkin Sawyer X也在the talk Perl 5.24,5.26,and the Future of Perl 5 he gave at FOSDEM 2017. Here is the recording解释了这一点.