@INC problem, I thought about what kind of danger there is if there is a current directory "." At the beginning of the module path

In Perl 5.26, the current directory "." Is deleted from the beginning of @INC, which is the module search path. There is an explanation that it is for security measures, but I thought about what kind of situation there is actually danger.

It is dangerous to change the directory writable by other users to the current directory

For example, consider the following script (test.pl).

chdir'/ tmp';

require File::Path;

This script first changes the current directory to a directory called "/ tmp".

The important thing here is that the directory "/ tmp" can be read and written by other users.

Being writable by other users means that you can put a file called "Find/Path.pm". (Reference: File::Path)

If the current directory "." Exists at the beginning of the module load path, it first tries to load the module that exists in the current directory.

This script then tries to read "Find/Path.pm" which exists in the current directory "/ tmp".

If the contents of "Find/Path.pm" are made into an attack program, "test.pl" will unintentionally execute "Find/Path.pm" in "/ tmp". ..

This seems to be a problem of "untrustworthy search path vulnerability".

Scripts other than "/ tmp" that make a directory writable by other users the current directory can be said to have this vulnerability.

Addendum

I've written many times that "." Has been added to the beginning of @INC, but it was a mistake that "." Was added to the end . I got an indication on Twitter.

Related Informatrion