I'm using optional dependencies in some of my scripts and modules to add capability for 'MSWin32' platforms (namely, color with Win32::Console::ANSI and BASH-like command line parsing with Win32::CommandLine). Since these modules are only loadable on 'MSWin32' systems, they are loaded mid-run as optional dependencies. Because they are optional dependencies, they expose the script / module to the ". in @INC" threat vector.
ref: https://dzone.com/articles/security-separation-of-concerns-and-cve-2016-1238 @@ https://archive.is/sKbcs
Currently, the code is usually something like ...
and# Module-Foo.pm use Term::ANSIColor; () = eval { require Win32::Console::ANSI } if 'MS +Win32' eq $^O;
# script-foo.pl no lib q{.}; # mitigate the ". in @INC" security threat vector when us +ing optional dependencies @ARGV = Win32::CommandLine::argv() if eval { require Win32::CommandLin +e };
For the module case, the OS/platform check at least narrows down the threat to only 'MSWin32' systems. But, especially in the case of modules, I'd like to remove the threat completely. Unfortunately, `no lib q{.}` is global, and I can't figure out a way to use it without affecting everything.
My other thought for modules was to add the optional dependencies as platform-specific required dependencies, but I'm trying to use the `dzil` build system with both 'Build.PL' and 'Makefile.PL', and I see no compatible method of specifying a platform-specific requirement.
Any thoughts on how to improve this?
In reply to Mitigating ". in @INC" for optional dependencies by Wyrdweaver
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |