|Subject:||patch attached for perlsec.pod|
I tried to make sure this would be put in a place that has not changed between versions. It is a brief description of attacks against the current directory and safe coding strategies. Feedback is welcome when you have time and bandwidth to give it (not expecting an immediate discussion).
--- a/perlsec.pod 2016-08-05 06:22:29.062358445 +0200 +++ b/perlsec.pod 2016-08-05 06:21:54.754415959 +0200 @@ -445,6 +445,42 @@ L<perlunicode> for details, and L<perlunicode/"Security Implications of Unicode"> for security implications in particular. +=head2 Code Inclusion from the Current Working Directory + +The current directory in the load path are potentially dangerous and +while taint mode provides some protection there are a number of key +problems that can crop up. Particularly when releasing published +software, programs can be attacked in various ways. Because of the +complexity of the dependency tree in many programs, these problems +can be very difficult to notice. + +=over 4 + +=item Falling back to current working directory for optional dependencies + +Current versions of Perl's C<@INC> contain the last entry as the current working +directory. This means that code that requires another module within an eval +statement will eventually look in the current working directory to see if that +file exists, but the file isn't required on the system, so if an attacker can +place an optional dependency of any dependency of your script in the current +working directory then, aside from Taint mode, your script may load and execute +the contents of the script. The safest solution is to use C<no lib '.'> at +the head of your Perl programs. + + +=item Code Preload Injection Attacks + +If a script has the current working directory at a high priority (for example +due to the use of C<use lib '.'> or C<-I.>, then if an attacker can place a +file with the same name as any dependency (optional or not) in the current +working directory or the program, then this file can transparently inject code +into the main program by loading and running code into memory, then unloading +itself and loading the correct module. In general, these are somewhat +dangerous with or without Taint Mode. + +=back + + =head2 Algorithmic Complexity Attacks Certain internal algorithms used in the implementation of Perl can