我最近注意到在我的系统上,在-T下运行时不可能要求’lib / file.pl’,但需要’./lib/file.pl’.
$perl -wT -e 'require "lib/file.pl";'
Can't locate lib/file.pl in @INC (@INC contains: /usr/lib/perl5/site_perl/5.14.2/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.14.2 /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.14.2 /usr/lib/perl5/5.14.2/x86_64-linux-thread-multi /usr/lib/perl5/5.14.2 /usr/lib/perl5/site_perl/5.14.2/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.14.2 /usr/lib/perl5/site_perl)
$perl -wT -e 'require "lib/file.pl"'
没有-T的做法在两个方面都有效:
????$perl -w -e’require“lib / file.pl”’
????$perl -w -e’require“./ lib / file.pl”’
在污点模式中.不是@INC的一部分.
perl -w -e 'print "@INC"'
[..snip..] /usr/lib/perl5/site_perl/5.14.2 /usr/lib/perl5/site_perl .
perl -wT -e 'print "@INC"'
[..snip..] /usr/lib/perl5/site_perl/5.14.2 /usr/lib/perl5/site_perl
我在文档中找不到那种行为.有人可以告诉我这是记录在哪里或为什么-T不喜欢.作为lib目录?
嗯…这实际上是
well documented,我想:
When the taint mode (-T ) is in effect,the “.” directory is removed
from @INC,and the environment variables PERL5LIB and PERLLIB are
ignored by Perl. You can still adjust @INC from outside the program by
using the -I command line option as explained in perlrun.
……但我想,这只是回答的一半.这种决定背后的原因是here:
… the issue with @INC is really more of a problem with SUID scripts
than CGI scripts. When you have an SUID script that can execute with
the permissions of another user (such as root),Perl goes into
taintmode automatically.
For this SUID script case,it would be a huge security breach to have
the capability of loading libraries from the user’s current directory.
If a script ends up having a bug where the library is not found in the
normal directory path,then a user could exploit this by writing their
own,malicious version of the library,putting it in the current
directory,and running the SUID script from their current directory.
However,this is not really the same problem with CGI scripts. User’s are not executing your script from arbitrary directories. Your web server controls which directory the script is called from. So keeping “.” in @INC is not really a problem compared to SUID scripts which operate under taint mode automatically.
