Perl：为什么.在Debian 9中不再是@INC的一部分了吗？

发布时间：2020-12-15 21:42:24 所属栏目：大数据来源：网络整理

导读：在安装Debian 9时我发现了这一点.不再是@INC的一部分了. 为x86_64-linux-gnu-thread-multi构建的Perl(v5.24.1) Built under linuxCompiled at Jan 15 2017 23:35:20@INC: /etc/perl /usr/local/share/perl/5.24.1 /usr/lib/x86_64-linux-gnu/perl5/5.24 /usr

在安装Debian 9时我发现了这一点.不再是@INC的一部分了.

为x86_64-linux-gnu-thread-multi构建的Perl(v5.24.1)

Built under linux
Compiled at Jan 15 2017 23:35:20
@INC:
 /etc/perl
 /usr/local/share/perl/5.24.1
 /usr/lib/x86_64-linux-gnu/perl5/5.24
 /usr/share/perl5
 /usr/lib/x86_64-linux-gnu/perl/5.24
 /usr/share/perl/5.24
 /usr/local/lib/site_perl
 /usr/lib/x86_64-linux-gnu/perl-base

有谁知道为什么？

解决方法

因为.已从@INC中删除5.24.1中的核心模块.这是一个安全功能,以防止 this blog post谈论的漏洞利用.

In February,I opened a ticket with Perl 5 Porters to get them to accept a non-default option to remove . from @INC. Unfortunately,I was beaten to the punch and an exploit was disclosed to Perl 5 Security. TL;DR: There are now known insecurities about having . in @INC.

该变更记录在perldelta的5.24.1中.

This prevents an attacker injecting an optional module into a process run by another user where the current directory is writable by the attacker,e.g. the /tmp directory.

它很可能是be removed completely in 5.26 Here’s more discussion在p5p邮件列表上,取自this blog post.

Here are (some of) the commits进行了这些更改.

Perl Pumpkin Sawyer X也在the talk Perl 5.24,5.26,and the Future of Perl 5 he gave at FOSDEM 2017. Here is the recording解释了这一点.

1)all videos from the Perl room at FOSDEM 2017

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!