Do you know where your variables are? | |
PerlMonks |
Re^3: use lib './' security safe?by Ven'Tatsu (Deacon) |
on Jul 20, 2004 at 14:00 UTC ( [id://375924]=note: print w/replies, xml ) | Need Help?? |
I don't think that '.' in @INC is a security risk in the same way as '.' in $ENV{PATH} would be. With PATH there is a risk of root cd'ing into a directory and running a trojaned ls compromising the system. An attacker might have write access to their home directory, which would be expected (under the assumption that the attacker is an authorised user) With @INC if the attacker can write a trojaned CGI.pm then they would have write access to the directory, and the could just as easily unlink the script it self and replace it with a trojaned version. Correct me if I'm missing something.
In Section
Seekers of Perl Wisdom
|
|